As the recent SolarWinds Orion attack makes clear, cybersecurity will be a focus in the coming years for both governmental and non-governmental entities alike.  In the federal contracting community, it has long been predicted that the government’s increased cybersecurity requirements will eventually lead to a corresponding increase in False Claims Act (FCA) litigation involving cybersecurity compliance.  This prediction may soon be proven true, as a December 2020 speech from Deputy Assistant Attorney General Michael Granston specifically identified “cybersecurity related fraud” as an “area where we could see enhanced False Claims Act activity.”  This post discusses recent efforts to use the FCA to enforce cybersecurity compliance — and, based on those efforts, what government contractors may expect to see in the future.

In recent years, the government and qui tam plaintiffs have begun using the FCA to pursue alleged noncompliance with cybersecurity regulations, and some of these efforts have gained traction.  For instance, in May 2019, a federal district court in California declined to dismiss a case alleging that a government contractor had falsely asserted its compliance with cybersecurity standards when entering into Department of Defense contracts.  And in July 2019, the Department of Justice announced that another contractor had agreed to pay more than $8 million in connection with resolving a qui tam suit alleging failure to meet federal cybersecurity standards, marking the first settlement based on FCA allegations related to cybersecurity noncompliance.

More recently, however, at least one court rejected the attempt to build an FCA case out of alleged deviations from cybersecurity regulations.  In October 2020, a federal district court in the District of Columbia dismissed a qui tam suit alleging that a contractor had failed to disclose a security vulnerability in the computer systems that it sold to the United States.  United States ex rel. Adams v. Dell Computer Corp., 15-cv-608 (D.D.C. Oct. 8, 2020).  The court’s dismissal was based on its conclusion that the whistleblower had failed to show that the noncompliance was “material.”  As the court noted, “the technology policies referenced . . . do not require defect-free products,” and that any applicable security policy could have instead been addressed by “providing the necessary assistance to eliminate or reduce vulnerabilities as they appear.”

Going forward, we expect the FCA’s strict materiality requirement will continue to present a significant  hurdle for plaintiffs in future cases alleging noncompliance with increasingly detailed cybersecurity regulations.  As Mr. Granston’s recent speech portends, however, the federal government and qui tam plaintiffs are poised to bring suits under the FCA predicated on allegations of cybersecurity noncompliance.  While these allegations could take myriad forms, there are two regulatory developments in particular that may provide ammunition to enterprising whistleblowers – and pose FCA risk for unwary contractors. First, under the NIST 800-171 DoD Assessment Methodology, DoD is now requiring that  contractors complete a pre-award self-assessment (formally known as a “Basic Assessment”) of their compliance with the 110 security controls found in NIST 800-171.  That Basic Assessment results in a numerical score that is provided to the government and a date by which the contractor represents it will be in full compliance with all NIST 800-171 controls.  Following award, the DoD may decide to complete its own Medium Assessment (via a paper review) or High Assessment (via an in-person review) of a contractor’s compliance with the NIST 800-171 security requirements.

This assessment process could give rise to disagreements between the contractor and the government over the extent to which the contractor is complying with the NIST 800-171 security controls.  In particular, a large discrepancy between the Basic Assessment’s numerical score and the Medium or High Assessment’s numerical score could lead to allegations that the contractor failed to accurately represent its cybersecurity requirements, thereby raising the specter of FCA risk.

Second, defense contractors will soon be asked to obtain and provide a Cybersecurity Maturity Model Certification (CMMC) from an accredited CMMC Third Party Assessment Organization.  As part of this certification process, contractors will be expected to show their ability to meet the NIST 800-171 security requirements as well as several additional security controls.  Allegations of inconsistencies between the self-assessment of compliance with 800-171 and the third party CMMC assessment, may also draw the attention of would-be qui tam plaintiffs.

However, it may prove difficult for the government or qui tam plaintiffs to establish FCA liability based on allegations of cybersecurity noncompliance.  First, and as noted above, FCA liability can only be imposed where the requirement is “material,” meaning that the noncompliance would have a “natural tendency to influence, or be capable of influencing” the government’s decision to pay the contractor.  However, federal contracts often contain cybersecurity requirements among a list of dozens — if not hundreds — of other regulatory obligations.  In many cases it is unlikely that the government’s decision to pay a contractor would depend on  strict compliance with a particular cybersecurity control or set of controls, in which case noncompliance with that control would not be “material.”

Second, FCA liability requires a showing that a noncompliance was “knowing,” meaning that the contractor actually knew they were not in compliance with a requirement, acted with deliberate ignorance, or acted with reckless disregard.  However, many of the cybersecurity requirements are new, and drafted broadly, allowing reasonable differences in technical interpretation. There is substantial case law establishing that a contractor cannot be held liable under the FCA for a reasonable, good-faith reading of unclear regulatory requirements.

Thus, even if the predictions about an uptick in FCA cybersecurity cases come true, there are good reasons for thinking that many such matters will face significant headwinds.  Although all cases are different, the standard defenses in such matters will be fully available, including both substantive defenses like those outlined above, and procedural defenses such as the statute’s Public Disclosure bar.  Nonetheless, the likelihood of an increase in FCA cases underscores the importance of ensuring careful attention to cybersecurity compliance and associated representations.

Photo of Michael Wagner Michael Wagner

Mike Wagner represents companies and individuals in complex compliance and enforcement matters arising in the public procurement context. Combining deep regulatory expertise and extensive investigations experience, Mike helps government contractors navigate detailed procurement rules and achieve the efficient resolution of government investigations and…

Mike Wagner represents companies and individuals in complex compliance and enforcement matters arising in the public procurement context. Combining deep regulatory expertise and extensive investigations experience, Mike helps government contractors navigate detailed procurement rules and achieve the efficient resolution of government investigations and enforcement actions.

Mike regularly represents contractors in federal and state compliance and enforcement matters relating to a range of procurement laws and regulations. He has particular experience handling investigations and litigation brought under the civil False Claims Act, and he routinely counsels government contractors on mandatory and voluntary disclosure considerations under the FAR, DFARS, and related regulatory regimes. He also represents contractors in high-stakes suspension and debarment matters at the federal and state levels, and he has served as Co-Chair of the ABA Suspension & Debarment Committee and is principal editor of the American Bar Association’s Practitioner’s Guide to Suspension & Debarment (4th ed.) (2018).

Mike also has extensive experience representing companies pursuing and negotiating grants, cooperative agreements, and Other Transaction Authority agreements (OTAs). In this regard, he has particular familiarity with the semiconductor and clean energy industries, and he has devoted substantial time in recent years to advising clients on strategic considerations for pursuing opportunities under the CHIPS Act, Inflation Reduction Act, and Bipartisan Infrastructure Law.

In his counseling practice, Mike regularly advises government contractors and suppliers on best practices for managing the rapidly-evolving array of cybersecurity and supply chain security rules and requirements. In particular, he helps companies assess and navigate domestic preference and country-of-origin requirements under the Buy American Act (BAA), Trade Agreements Act (TAA), Berry Amendment, and DOD Specialty Metals regulation. He also assists clients in managing product and information security considerations related to overseas manufacture and development of Information and Communication Technologies & Services (ICTS).

Mike serves on Covington’s Hiring Committee and is Co-Chair of the firm’s Summer Associate Program. He is a frequent writer and speaker on issues relating to procurement fraud and contractor responsibility, and he has served as an adjunct professor at the George Washington University Law School.

Photo of Peter B. Hutt II Peter B. Hutt II

Peter Hutt represents government contractors in a range of complex investigation, litigation, and compliance matters, including False Claims Act and fraud investigations and litigation, compliance with accounting, cost, and pricing requirements, and contract claims and disputes.

Peter has litigated more than 25 qui…

Peter Hutt represents government contractors in a range of complex investigation, litigation, and compliance matters, including False Claims Act and fraud investigations and litigation, compliance with accounting, cost, and pricing requirements, and contract claims and disputes.

Peter has litigated more than 25 qui tam matters brought under the False Claims Act, including matters alleging cost mischarging, CAS violations, quality assurance deficiencies, substandard products, defective pricing, Iraqi procurement fraud, health care fraud, and inadequate subcontractor oversight. He has testified before Congress concerning proposed amendments to the False Claims Act.

Peter has also conducted numerous internal investigations and frequently advises clients on whether to make disclosures of potential wrongdoing.

Peter also represents clients in a wide range of accounting, cost, and pricing matters, as well as other contract and grant matters. He is experienced in addressing issues concerning pensions and post-retirement benefits, contract formation, TINA and defective pricing, claims and terminations, contract financing, price reduction clauses, subcontracting and supply chain compliance, specialty metals compliance, and small business and DBE compliance. He has litigated significant cost, accounting, and contract breach matters in the Court of Federal Claims and the Armed Services Board of Contract Appeals.

Peter is recognized for his work both in government contracts and in False Claims Act disputes by Chambers USA, which notes that “He is absolutely outstanding. He is thoughtful and client-focused.” Chambers also notes that “Peter’s judgment and problem solving ability is unique. He is a very good False Claims Act lawyer.”

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Andrew Guy Andrew Guy

Andrew Guy advises clients across a broad range of government contracting issues — including regularly representing contractors in bid protests before the U.S. Court of Federal Claims and the U.S. Government Accountability Office (“GAO”).

Andrew also has extensive investigations and False Claims Act…

Andrew Guy advises clients across a broad range of government contracting issues — including regularly representing contractors in bid protests before the U.S. Court of Federal Claims and the U.S. Government Accountability Office (“GAO”).

Andrew also has extensive investigations and False Claims Act experience. He routinely assists clients in responding to Civil Investigative Demands and other government inquiries.

Before joining the firm, Andrew clerked for the Honorable Kenneth F. Ripple of the U.S. Court of Appeals for the Seventh Circuit.