Defense Department Interim Rule Requiring Contractors to Self-Assess Cybersecurity Compliance Creates Potential FCA Risk

November 24, 2020

As concern over cybersecurity continues to grow,[1] defense contractors have been waiting for the Department of Defense (DoD) to roll out its Cybersecurity Maturity Model Certification (CMMC) program. That rollout has occurred, with DoD’s recently published interim rule Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)[2] (“Interim Rule”), effective Nov. 30, 2020, and providing for a five-year phase-in of CMMC. In an unexpected twist, the Interim Rule also imposes on many contractors a cybersecurity compliance self-assessment requirement—and the accompanying risk of False Claims Act (FCA) litigation.

Self-Assessment Requirement

The Interim Rule requires contractors to assess their cybersecurity compliance based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,[3] and report the resulting score to the government. This self-assessment requirement applies to contractors already required to comply with NIST SP 800-171, pursuant to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The self-assessment system appears designed to give DoD increased visibility into contractors’ cybersecurity compliance in the near term, while the CMMC certification system is being phased in.

The summary-level score from the self-assessment must be reported to the government via posting to the Supplier Performance Risk System (SPRS),[4] a Defense Information Systems Agency (DISA)-operated database. Compliance with all 110 NIST requirements yields a perfect score of 110; contractors that fall short of 110 are required to provide the date they expect to reach that mark, and their plan of action and milestones (POAM) for doing so.

The self-assessment, conducted pre-award, evaluates what DoD refers to as the Basic level of cybersecurity compliance; DoD will conduct Medium and High level reviews of selected contractors post-award, based on the sensitivity of the data or critical nature of the contract in question. The Medium and High levels reflect greater depth of assessment and a higher level of confidence in the resulting score. Interim Rule at I.A. For solicitations that include the new clauses, DFARS 252.204-7019 and 7020, contractors must have a current (no more than 3 years old, unless the solicitation specifies a shorter time) Basic level assessment posted to SPRS, in order to be considered for contract awards or the exercise of a contract option.

Currently, DFARS 252.204-7012, which is included in all solicitations and contracts,[5] requires contractors to implement the security measures (numbering 110 in total, grouped into 14 categories) specified in NIST SP 800-171. DoD has expressed concern that under the current system, in which a contractor submitting an offer on a government contract merely “self-attest[s] that [it] will implement the requirements in NIST SP 800-171,” CUI can be processed, stored, or transmitted by contractors that have not actually “implemented all of the 110 security requirements” or “establish[ed] enforceable timelines for addressing shortfalls and gaps.” Interim Rule at VII.A. Due to the associated national security risks, DoD therefore determined that the “status quo was not acceptable.” Id.

The new self-assessment requirements are set forth in DFARS 252.204-7019, which advises offerors of the new requirement, and 252.204-7020, which covers posting to SPRS. The requirements apply not only to prime contractors but also to subcontractors: prime contractors must flow down the substantive requirements of 252.204-7020 to all of their subcontractors (other than those supplying commercial off-the-shelf (COTS) goods). In addition, before awarding a subcontract, a prime contractor must verify that the subcontractor has a current cybersecurity assessment or self-assessment posted on SPRS.

Possible FCA Exposure from Self-Assessment

Because the new system requires an affirmative statement regarding compliance with each of the 110 standards under NIST SP 800-171, a contractor runs the risk of incurring FCA liability if it submits a summary-level self-assessment score that inaccurately represents the contractor’s level of compliance with NIST SP 800-171. Such a circumstance could trigger one or both of two theories of liability under the FCA: false certification or fraud in the inducement.

False certification has two variants. Under implied false certification, a claimant for payment from the government (i) makes specific representations about the goods or services provided, while (ii) failing to disclose its noncompliance with material requirements (whether statutory, regulatory, or contractual), a nondisclosure that renders those representations “misleading half-truths.” See Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989, 2001 (2016). Under express false certification, the claimant explicitly certifies its compliance with certain requirements it has, in fact, breached. See United States ex rel. Hendow v. Univ. of Phoenix, 461 F.3d 1166, 1170–71 (9th Cir. 2006). Under the theory of fraud in the inducement, also called promissory fraud, FCA liability “attach[es] to each claim submitted to the government under a contract, when the contract or extension of government benefit was originally obtained through false statements or fraudulent conduct.” See id. at 1173.

At least two FCA litigation outcomes in the past year underscore the need for contractor vigilance over cybersecurity compliance. One was in United States ex rel. Glenn v. Cisco Systems, Inc., No. 1:11-cv-00400-RJA (W.D.N.Y.),[6] where the qui tam relator alleged FCA violations due to cyber vulnerabilities in surveillance video software sold to the Secret Service, Department of Homeland Security, airports, and other government entities and facilities. In July 2019, a nearly $9 million settlement was announced, apparently the first time a cybersecurity-related FCA action has settled.

The other came in United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019), a qui tam action explicitly tied to the DFARS 252.204-7012 cybersecurity requirements. In Aerojet, the relator alleged the defendant contractor misrepresented its level of compliance with the 7012 clause in order to fraudulently obtain government contracts with DoD and NASA. In moving to dismiss, the defendant argued, in relevant part, that the relator’s complaint failed to plead materiality because the defendant had disclosed to the government that it was not in compliance with the DFARS clause. However, the court found the relator plausibly alleged that the defendant disclosed its noncompliance only partially, and that the government might not have awarded the contracts had it known the true extent of noncompliance—enough of a showing of materiality to survive the motion to dismiss. See 381 F. Supp. 3d at 1247.

Clearly, given the potential FCA risks, contractors will need to exercise great care in performing the DFARS 252.204-7020 self-assessment. The summary-level score should reflect only those NIST 800-171  cybersecurity requirements the contractor concludes are amply supported, and the contractor should maintain documentation of the reasons for those conclusions. A contractor also needs to take seriously the representations it made as to the target date for attaining a score of 110, and act on the POAM it submitted to that end.

CMMC Certification Program

Along with the assessment piece, the Interim Rule’s other cybersecurity prong is the CMMC requirement, contained in DFARS 252.204-7021. During the five-year roll-out period, Nov. 30, 2020 through Sept. 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment will determine which solicitations and contracts will include the CMMC requirement. From Oct. 1, 2025 forward, CMMC will apply to all DoD solicitations and contracts (other than procurements of COTS items or below the micro-purchase threshold).

For each of its relevant information systems, and throughout the life of a contract, task, or delivery order, a contractor must maintain CMMC certification that is not more than three years old (unless the relevant solicitation specifies a shorter time period), at the level specified in the contract or order. In order to exercise a contract option or extend the period of performance on a contract or order, the contracting officer must verify via SPRS that the contractor has a current CMMC certificate in place at the required level. Assessments must be renewed prior to contract expiration in order to preserve continued eligibility for contract awards.

 

[1] See, e.g., U.S. Cybersecurity and Infrastructure Security Agency (CISA), Cybersecurity, https://www.cisa.gov/cybersecurity; Milton Ezrati, Cybersecurity: A Major Concern and a Great Business Opportunity, Forbes (Sept. 5, 2018), https://www.forbes.com/sites/miltonezrati/2018/09/05/cyber-security-a-major-concern-and-a-great-business-opportunity; see also DFARS Case 2019-D041, at I (noting Council of Economic Advisors estimate of $57–109 billion in costs to the U.S. economy from malicious cyber activity in 2016 alone).

[2] The interim rule can be accessed at https://federalregister.gov/d/2020-21123.

[3] NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, can be accessed at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf. The NIST document sets forth 110 required cybersecurity measures and practices, grouped into 14 categories.

[4] SPRS can be accessed at https://www.sprs.csd.disa.mil.

[5] The DFARS provision applies even to contracts using Federal Acquisition Regulation (FAR) part 12 commercial item procedures, except for acquisitions exclusively of commercial off-the-shelf (COTS) items.

[6] For our analysis of the Cisco Systems settlement, please click here.