CMMC REQUIREMENTS COULD LEAD BUSINESSES TO SUFFER UNDER THE FALSE CLAIMS ACT
By Ken Michael
Business leaders be forewarned: the United States government may not pay you and may even take you to court if you fail to comply with cybersecurity requirements outlined in the Federal Acquisition Regulations (FAR) and incorporated into federal government contracts.
We’ve all seen the recent headlines about data breaches that have impacted businesses across the U.S. from the Colonial Pipeline hack that created gasoline shortages along the east coast early this summer to the attack on global meat production giant JBS, forcing it to shut down all of its beef plants in America for a stint. Even hundreds of managed service providers (MSPs) that supply IT and cybersecurity services to clients around the nation just suffered a massive breach that left thousands of their clients’ data at risk when a vulnerability in the Kaseya VSA software was exploited by a Russian hacking group.
With new requirements being implemented as part of the U.S. Department of Defense’s (DoD) Cybersecurity Maturity Model Certification, DoD contractors may find themselves in court faced with allegations of violating the False Claims Act (FCA) if they don’t keep their CMMC requirements up to speed throughout the entirety of a government contract. The idea of landing in court due to the FCA is yet another burden facing businesses conducting contract work with the DoD.
Overwhelming Hack Attacks
All of these major recent hacks should demonstrate the need for improved cybersecurity. According to Statista.com, the number of data breaches in the United States by the number of records exposed has skyrocketed in the last few years. In 2016, 36.3 million records were exposed and that number climbed to 471.23 million in 2018. With improved cybersecurity practices, that number was reduced to 155.8 million in 2020.
While the number of records exposed in breaches in the U.S. have dropped in the last couple of years, the number of breaches is still unacceptably high. In 2017, Statista shows there were 1,632 breach cases in the U.S. alone. That number dropped to 1,257 in 2018 but rebounded to 1,473 cases in 2019. That number dropped to 1,001 breach cases in 2020 but 2021 has been one for the books already. The website Itgovernance.co.uk reports that in the first four months of 2021, nearly four billion (yes, billion) records were breached.
These breaches are not isolated to private business. Governments around the world, including the United States, have seen attacks as well. The attacks have come from state actors and private hackers looking to cash in on trade secrets or hold utilities ransom for large lump sums.
Should that assessment lapse during the course of a contract, the contractor or subcontractor would become non-compliant. That non-compliance brings us back to the FCA. As part of the contract with the DoD, businesses and their subcontractors agree to stay in compliance at all times with the DFARS, NIST SP 800-171, and CMMC requirements. If they fail even one part of the compliance assessment or lapse in their assessment during the course of the contract, an FCA suit could be filed against them by a whistleblower.
The False Claims Act
The FCA was originally enacted in 1863 during the American Civil War in response to defense contractors making false claims to receive funds from the U.S. government. Over the years, the FCA has been amended but it still provides “that any person who knowingly submitted false claims to the government was liable for double the government’s damages plus a penalty of $2,000 for each false claim.” With changes to the law, violators are now liable for three times the damages plus a penalty linked to inflation.
In addition to the U.S. government pursuing fraud against it through the FCA, private citizens can file suit on behalf of the government. This is known as “qui tam” suits.
“Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many fraud section investigations and lawsuits arise from such qui tam actions,” according to the Justice Department website.
With DFARS 252.204-7021, NIST SP 800-171, and CMMC requirements being phased into all DoD contracts over the course of the next four years, contractors and their subs are all on the hook for meeting the cybersecurity obligations outlined therein. If they don’t, the government or any private citizen could drag them into court under the FCA.
Of course, the DFARS requirements will not be required in contracts for purchases of commercially available off-the-shelf (COTS) products unless they are part of a larger DoD purchase. The DFARS clauses will also not be required in contracts for purchases at or below the micro-purchase threshold.
Assessments and CUI
When a contractor completes their NIST SP 800-171 assessment, they file the results with the Supplier Performance Risk System (SPRS). The SPRS is a database that tracks contractor compliance with the classified uncontrolled information (CUI) security requirements.
Assessments can be conducted so businesses can achieve a “medium” or “high” assessment classification. The aforementioned interim rule states that the DoD is expected to assess approximately 200 entities annually at the “medium” rating and 110 organizations annually for the “high” rating. Starting in November 2020, DoD contracting officers were required to check the SPRS to validate that contractors had a proper SPRS assessment.
What Government Contractors Need To Know
With respect to CMMC, government contractors and subcontractors need to understand the cybersecurity requirements they are expected to meet at which of the five CMMC levels. The issue is, the CMMC requirements are currently a moving target so staying compliant throughout the course of a long-term government contract could prove quite problematic.
Under the new CMMC, DoD contracts will require contractors and subcontractors to meet more than 110 security practices. Businesses fulfilling DoD contracts will need to ensure that their IT personnel and any third-party providers are continuously vigilant about staying on top of the cybersecurity requirements of government contracts. If they fail, businesses could find themselves in court facing FCA litigation by the government or a qui tam claim.
What’s more, government contractors not in compliance with CMMC may find themselves going unpaid. If a contractor fails to comply with the CMMC or doesn’t immediately report a failure to comply with any portion of the CMMC requirements during the course of a contract, it could lead to FCA litigation.
Ryan Bradel, a government contracts attorney with Ward & Berry, a lawfirm out of Washington D.C., stated, “Constant vigilance of a contractor’s compliance with the CMMC will be essential to overcoming any FCA claims.” He also said that under the Biden administration, government contractors should expect the Department of Justice to take a more active and aggressive role in FCA litigation.
In conclusion, the new CMMC regulations being included in DoD contracts increases the risk contractors face when it comes to the FCA. Contractors and their subs need to remain ever vigilant about continuously meeting cybersecurity requirements throughout the course of their DoD contract.
If your business needs assistance with achieving or maintaining DFARS, NIST SP 800-171, and/or CMMC requirements, contact Dox Electronics now at (585) 473-7766. The initial consultation is free and there is no obligation. Our experienced cybersecurity experts are here to support your business.