Justice’s Civil Cyber-Fraud Initiative Will Hold Contractors Accountable for Cybersecurity Standards

October is the one month of the year where costumes and disguises are most popular, i.e. Halloween. October is also Cybersecurity Awareness Month, and one federal agency wants federal contract holders and grant awardees to be aware that they could be facing federal fraud charges if they disguise cyber vulnerabilities in their products or hide behind false cyber facades.

Earlier this month, the Department of Justice launched the Civil Cyber-Fraud Initiative (CCFI) to pursue cybersecurity-related fraud charges against government contractors and grant recipients through the False Claims Act (FCA) and whistleblower provision of the law.

Growing Accountability to Federal Cybersecurity Standards

The new task force will hold accountable companies or individuals that put federal agency information or systems at risk “by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or by knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” according to Deputy Attorney General Lisa Monaco.

The DOJ CCFI is built upon the National Institute of Standards and Technology (NIST) SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is also the basis for the DOD’s Cybersecurity Maturity Model Certification (CMMC) initiative.

Contractor Implications

The CCFI is one of the latest efforts to enforce contractor compliance with federal cybersecurity standards. Its creation further shifts the federal posture to one of more proactive enforcement, adding additional resources and consequences for those that knowingly ignore these standards. Fines, recovery, damages and legal costs from FCA violations could be significant.

While knowing misrepresentation or violation by a federal contracting company or others is repugnant and may sully the reputation of the greater contracting community, the wider implication is that federal contractors need to stay well-aware of the standards, requirements and expectations that federal agencies are putting into place to ensure that their supply chain is secure, trustworthy and communicative. This is why we see plans for adding contract language requiring contractors to share cyber threat and incident information when incidents or breaches occur within areas that may directly or indirectly impact the agency.

These and other contractor-impacting provisions were part of the sweeping White House Cyber Executive Order (EO) 14028 back in May. This latest effort by the DOJ will put additional teeth into those forthcoming regulations.