On October 6, 2021, the Department of Justice (DOJ) announced a new Civil Fraud Cyber Initiative to “combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.”
As noted in a May 20, 2021, McGuireWoods alert, President Biden issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” on May 12, 2021, mandating that the federal government significantly improve cybersecurity within its networks and modernize federal cyber defenses, with important implications for federal contractors. The EO acknowledged that the United States “faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy” and called for the Administration to review and implement changes to its information technology and operational technology contract requirements and language to improve cybersecurity. This move followed a series of sweeping cyberattacks on federal contractors and federal government networks over the past year, including a recent incident that resulted in gasoline shortages across the U.S. East Coast and another that involved breaches of the networks of several federal agencies.
The DOJ initiative builds upon the earlier EO and provides that the Department will use its power under the False Claims Act (FCA), including through support for qui tam whistleblowers, to increase enforcement of cybersecurity-related fraud by federal contractors and grant recipients. While some contractors previously believed it to be “less risky to hide a breach than to bring it forward and to report it,” according to Deputy Attorney General Lisa O. Monaco, the federal government has now committed to ensuring government contractors who receive federal funds follow increased cybersecurity standards. The initiative commits to increase enforcement against contractors in the following areas: (1) provision of deficient cybersecurity products or services; (2) misrepresentations regarding cybersecurity practices or protocols; and (3) violations of obligations to monitor and report cybersecurity incidents and breaches.
The DOJ’s initiative comes in response to the EO’s establishment of a carrot-and-stick treatment for contractors, removing contractual barriers and tightening contractual requirements related to reporting information about threats, incidents, and risks. The related May 12, 2021, White House fact sheet explained that “requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.” While increasing enforcement scrutiny, the initiative aims to provide federal contractors clarity on best practices and legal obligations related to cybersecurity compliance, monitoring, and reporting.
Of most importance to contractors, DOJ has stated that the goals for the initiative specifically include:
- building broad resiliency against cybersecurity intrusions across the government, the public sector, and key industry partners;
- holding contractors and grantees to their commitments to protect government information and infrastructure;
- supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services;
- ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage;
- reimbursing the government and taxpayers for losses incurred when companies fail to satisfy their cybersecurity obligations; and
- improving overall cybersecurity practices that will benefit the government, private users, and the American public.
In light of the DOJ’s promise to use the FCA to improve cybersecurity, federal contractors should refamiliarize themselves with the Supreme Court’s 2016 holding in Universal Health Services, Inc. v. United States ex rel. Escobar, “that the implied certification theory can be a basis for liability, at least where two conditions are satisfied: first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.” Contractors should also monitor the EO’s call for a series of changes to federal contract security language to consider participating in public comment opportunities for proposed rules. To that end, we expect contracting agencies to begin closer review and enforcement of the cybersecurity and related breach reporting requirements under, among other clauses, FAR 52.204-21, DFARS 252.204-7012, DFARS 252.204-7020, and the Cybersecurity Maturity Model Certification (CMMC) process (see, e.g., DFARS 252.204-7021), to include referral to DOJ for FCA enforcement where a material noncompliance is identified.
Please contact the authors if you have any questions regarding cybersecurity or False Claims Act compliance or issues related to a particular contract or security concern.
About McGuireWoods’ Government Contracts Team
The Government Contracts team at McGuireWoods has decades of collective experience assisting contractors and subcontractors in government contracting, including the navigation of proposal submission and compliance issues. Based strategically in the Washington, D.C., area, our full-service practice leverages McGuireWoods’ strong defense and national security credentials at every step in the procurement process. Our attorneys counsel clients ranging from small businesses to the nation’s largest government contractors on issues arising under the Federal Acquisition Regulation and its agency-specific supplements, and our team regularly assists clients in negotiating significant federal contracts and contract modifications.
We also have the deep experience necessary to defend our clients’ interests in bid protests, in litigation with the government and other contractors, and in investigations and regulatory enforcement actions involving a wide range of federal and state agencies, inspectors general, and law enforcement personnel. We provide these services to clients operating in a broad variety of industries and sectors, including defense, national and homeland security, intelligence support, technology, construction, healthcare, aerospace and energy.
About McGuireWoods’ Data Privacy & Security Practice
Our Data Privacy & Security team comprises more than 30 interdisciplinary lawyers, including experienced IP and class-action litigators and technology-focused transactional lawyers to assist clients with the full spectrum of data privacy, security and technology needs. Through McGuireWoods Consulting, we also offer lobbying services to ensure that our clients have a voice in shaping precedent-setting and far-reaching legislation.
We provide proactive counseling to protect the integrity of our clients’ data and payment systems, investigative and remediation services that may be required after a breach, and guidance to assist our clients as they develop new relationships and sources of revenue.