Navigating Cybersecurity Requirements to Win Contracts and Avoid False Claim Act Allegations
By John S. Pachter, Armani Vadiee, and Todd M. Garland
6/13/2019
Companies doing business with the U.S. government are familiar with unnecessary regulatory burdens imposed by the federal procurement system. The process has become more difficult with the federal government’s recent focus on cybersecurity. Contracts with executive agencies typically include FAR 52.204-21—Basic Safeguarding of Covered Contractor Systems (June 2016). If non-public contract information resides in a contractor’s system, the clause requires the contractor to provide 15 safeguards to protect contractor information systems. The safeguards require a contractor to limit access to its systems, control information on publicly accessible systems, and monitor visitor activity.
The Department of Defense cybersecurity requirements are more stringent. Since January 1, 2018, DOD contracts that involve storing, processing, or transmitting covered defense information are subject to DFARS 252.204-7012. Under the clause, contractors must implement the standards imposed by National Institute of Standards and Technology (“NIST”) 800-171. Prime contractors must also ensure lower-tier subcontractors meet the DFARS cybersecurity requirements. Companies that cannot meet cybersecurity demands risk relinquishing the opportunity to obtain new awards. But if a company exaggerates its compliance with cybersecurity regulations—or fails to fully disclose noncompliance—it could face allegations that it fraudulently induced the government to award the contract.
The Federal Government’s Increased Emphasis on Evaluating Cybersecurity Compliance
Effective cybersecurity compliance is increasingly important to the ability to win awards, and protect successful proposals from challenges by competitors. Recent events—such as the 2014 Office of Personnel Management (“OPM”) data breach exposing personnel files for 4.2 million government employees and 21.5 million security clearance files—mean contractors should expect that their ability to meet cybersecurity requirements will be subject to increased scrutiny. Contractors with inadequate cybersecurity systems may find themselves eliminated from the competition. See Syneren Techs. Corp., B-415058, Nov. 16, 2017, 2017 CPD ¶ 363.
Even if a contractor is not required to meet stringent cybersecurity requirements, agency solicitations often use a contractor’s cybersecurity system as a technical evaluation factor. Agencies can assign strengths for a proposed cybersecurity framework if the system helps manage cybersecurity risk and leads to improved efficiencies. See IPKeys Techs., LLC, B-414890, Oct. 4, 2017, 2017 CPD ¶ 311. In IPKeys Technologies, the contractor’s award was based, in part, on its agreement to voluntarily exceed cybersecurity requirements in the RFP. In another case, the agency assessed deficiencies against three contractors that failed to address cybersecurity requirements in their proposals. Jardon & Howard Techs., Inc., B-415330.3, May 24, 2018, 2018 CPD ¶ 195. Similar to IPKeys Technology, the awardee’s proposal included information regarding its cybersecurity system that went beyond the solicitation requirements. These decisions establish the potential benefits for contractors demonstrating they can exceed an agency’s minimum cybersecurity requirements.
Exaggerating or Misrepresenting Cybersecurity Compliance May Lead to an FCA Claim
Contractors misrepresenting compliance with cybersecurity requirements could also face allegations under the False Claims Act (“FCA”), 31 U.S.C. § 3729 et seq. Last month, a federal court permitted a contractor’s former senior director of Cyber Security, Compliance, and Controls to proceed with a qui tam action alleging the company entered into government contracts while knowing it could not meet requirements to guard information from cybersecurity threats. U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 2019 WL 2024595 (E.D. Cal. May 8, 2019). The case is still in the pleading stage, so the court assumes the allegations are true. And the Department of Justice, after investigating the allegations, declined to intervene—meaning the claims may lack merit. Still, the case illustrates the need to ensure compliance with cybersecurity requirements. Contractors must also ensure their representations regarding the ability to meet cybersecurity requirements are complete and accurate. In Aerojet, the contractor disclosed its noncompliance with certain cybersecurity regulations. The relator argued the contractor disclosed some of its noncompliance, but, according to the relator, the contractor had not disclosed the full extent of its inability to meet cybersecurity regulations, including the ability to meet security controls and establish firewalls. Failing to disclose non-compliance with cybersecurity requirements might be a “misleading-half truth,” and, under the FCA, “representations that state the truth only so far as it goes, while omitting critical qualifying information, can be actionable misrepresentations.” Univ. Health Servs., Inc. v. United States, 136 S. Ct. 1989, 2000 (2016). Failing to fully disclose the inability to meet cybersecurity obligations could be considered “misleading in context,” thus serving as the basis for an FCA claim. See id.
Conclusion
The recent imposition of contract clauses mandating that contractors safeguard information from cyberthreats has made contracting with the federal government more difficult. Despite these challenges, contractors must ensure compliance with cybersecurity regulations and that their disclosure of any noncompliance is complete and accurate. Cybersecurity system defects may lead adverse evaluations and rejection of your proposal. At the same time, attempting to hide defects— or failing to disclose the full extent of noncompliance—could result in a qui tam action alleging you fraudulently induced the government to award the contract.
John S. Pachter | jpachter@smithpachter.com
Armani Vadiee | avadiee@smithpachter.com
Todd M. Garland | tgarland@smithpachter.com
Smith Pachter McWhorter PLC
8000 Towers Crescent Drive, Suite 900 | Tysons Corner, VA 22182 | 703.847.6300 | www.smithpachter.com
This article originally appeared in the 2019 PSC Federal Acquisition Conference Thought Leadership Compendium.