One of the most important and continuing developments in government contracting over the last several years centers around cybersecurity. The Department of Defense’s CMMC program, and its recent iterations and rollouts, the Cybersecurity & Infrastructure Security Agency and its growth, and the Department of Justice’s Civil Cyber-Fraud Initiative are examples of the federal government’s sweeping (and swift) initiative to address and combat cyber-attacks by way of its supply chain. As a result, contractors and their subcontractors are not only facing increased compliance requirements – that for the most part do not delineate between small and large concerns in terms of applicability – they are also dealing with a customer who is serious about scrutiny, enforcement, and legal ramifications.
The Aerojet Rocketdyne Settlement
Although the cyber compliance regulations are relatively new and place a significant implementation burden on companies, the government is making it clear that noncompliance is not an option. Most notably, the Department of Justice’s Civil Cyber-Fraud Initiative’s use of the False Claims Act resulted in a settlement recently against Aerojet Rocketdyne. The contractor agreed to pay $9 million dollars to resolve claims that it violated the Act by misrepresenting its conformance with cybersecurity obligations. The whistleblower was a former employee who alleged Aerojet made false statements about the company’s noncompliance with the applicable DFARS and NFARS clauses designed for the protection of information from unauthorized disclosure. This settlement sends a sharp message to industry that the government will hold contractors accountable for misrepresenting their cybersecurity performance requirements.
Cybersecurity Is Not Limited to Prime Contractors; But They Bear the Ultimate Burden
With the increasing importance of cybersecurity accountability, prime contractors face mandatory flow-down clauses that create additional risk and liability. Primes may be able to diffuse responsibility for cyber compliance through well-drafted subcontract agreements, but ultimately, they are accountable for ensuring their subs meet the applicable requirements. Meaning, irrespective of the flow-down, prime contractors must confirm the security of their partners. Given the potential implications of noncompliance (non-payment, fraud claims, suspension, debarment, criminal liability), prime contractors will want to undertake cybersecurity protocols that include risk, controls, and implementation assessments not only in-house but also as to their subcontractors.
The June 16, 2022 DoD Memo
In a memorandum circulated to its contracting officers, the Department of Defense reminded these officials of their obligation to monitor cybersecurity compliance. Specifically, the memo outlines the basic requirements of DFARS 252.204-7012 and -7020 and the options contracting officers have to enforce conformity with these clauses. For example, DoD reminds them that failure to meet the conditions of -7012 by having or making progress on a plan to implement NIST SP 800-171 is a material breach subject to remedies like withholding of progress payments, not exercising options, or termination of the contract. This memo is yet another message to contractors that the government intends to ensure its cyber protection mechanisms are implemented.
It Isn’t Just About Compliance
While compliance post-award is critical, contractors should remember that cybersecurity is becoming a key metric for acquisition. It is routinely appearing as a procurement evaluation criterion. As a result, prospective contractors should take affirmative steps to put themselves in a competitive position by demonstrating their cybersecurity protections and thus engendering confidence in contracting officers who have mandates to protect covered information.
The key takeaway for contractors is that the government is on a mission to ensure that the information safeguards promulgated by the regulations are undertaken and met. A renewed and more earnest effort across government is ensuing to utilize the power of contractual remedies and the False Claim Act to effectuate cybersecurity compliance. Contractors must be aware of the requisite security requirements and have adequate systems in place so that they may meet these obligations and be prepared to defend any claim of a failure to do so.