In recent years, the government and qui tam plaintiffs have begun using the FCA to pursue alleged noncompliance with cybersecurity regulations, and some of these efforts have gained traction. For instance, in May 2019, a federal district court in California declined to dismiss a case alleging that a government contractor had falsely asserted its compliance with cybersecurity standards when entering into Department of Defense contracts. And in July 2019, the Department of Justice announced that another contractor had agreed to pay more than $8 million in connection with resolving a qui tam suit alleging failure to meet federal cybersecurity standards, marking the first settlement based on FCA allegations related to cybersecurity noncompliance.
More recently, however, at least one court rejected the attempt to build an FCA case out of alleged deviations from cybersecurity regulations. In October 2020, a federal district court in the District of Columbia dismissed a qui tam suit alleging that a contractor had failed to disclose a security vulnerability in the computer systems that it sold to the United States. United States ex rel. Adams v. Dell Computer Corp., 15-cv-608 (D.D.C. Oct. 8, 2020).The court’s dismissal was based on its conclusion that the whistleblower had failed to show that the noncompliance was “material.” As the court noted, “the technology policies referenced . . . do not require defect-free products,” and that any applicable security policy could have instead been addressed by “providing the necessary assistance to eliminate or reduce vulnerabilities as they appear.”
Going forward, we expect the FCA’s strict materiality requirement will continue to present a significant hurdle for plaintiffs in future cases alleging noncompliance with increasingly detailed cybersecurity regulations. As Mr. Granston’s recent speech portends, however, the federal government and qui tam plaintiffs are poised to bring suits under the FCA predicated on allegations of cybersecurity noncompliance. While these allegations could take myriad forms, there are two regulatory developments in particular that may provide ammunition to enterprising whistleblowers – and pose FCA risk for unwary contractors.
First, under the NIST 800-171 DoD Assessment Methodology, DoD is now requiring that contractors complete a pre-award self-assessment (formally known as a “Basic Assessment”) of their compliance with the 110 security controls found in NIST 800-171. That Basic Assessment results in a numerical score that is provided to the government and a date by which the contractor represents it will be in full compliance with all NIST 800-171 controls. Following award, the DoD may decide to complete its own Medium Assessment (via a paper review) or High Assessment (via an in-person review) of a contractor’s compliance with the NIST 800-171 security requirements.This assessment process could give rise to disagreements between the contractor and the government over the extent to which the contractor is complying with the NIST 800-171 security controls. In particular, a large discrepancy between the Basic Assessment’s numerical score and the Medium or High Assessment’s numerical score could lead to allegations that the contractor failed to accurately represent its cybersecurity requirements, thereby raising the specter of FCA risk.