Federal contractors are now legally required to uphold certain cybersecurity standards in order to be in compliance with their contracts with government agencies. In many ways, this change is a positive one, bringing more clarity and structure to the way that contractors conduct business. Ensuring compliance with cybersecurity protocols is in everyone’s best interests—preventing hacks, data breaches, and ransomware attacks saves contractors money while protecting taxpayer data and investment.
However, for contractors who do not meet these standards, severe financial penalties may be imposed. Companies that fail to meet minimum cybersecurity requirements for government contractors can now face civil prosecution under the False Claims Act. Whistleblowers who report on these violations can also recover financial rewards, as well as receive protections against retaliation from their employers.
Most companies already have cybersecurity systems in place to regulate authentication and access. However, not all systems and protocols are created equally. Contractors with the federal government are required to ensure that their company’s protocols are in alignment with the US National Institute of Standards and Technology (NIST) framework. NIST 800-171 is the currently updated framework that shows how contractors and subcontractors of federal agencies must manage Controlled Unclassified Information (CUI).
Not every element of being in compliance with NIST standards involves complex data handling policies or even increased financial investment. Data from McKinsey & Company shows that more than 70% of cyberattacks across the globe come from financially motivated individuals who deploy relatively simple techniques, such as phishing emails, in order to reach their end goals. Some elements of cybersecurity compliance for federal contractors involve rising to meet these kinds of challenges. Examples include implementing strong password controls, decommissioning old operating systems, and investing in multi-factor authentication technology.
NIST is designed for general non-federal organization use. The protocols are based on a cybersecurity management framework initially created for contractors working with the Department of Defense. Defense contractors often handle information with additional vulnerabilities, and may be targeted by nation-state threat actors as well as financially motivated cybercriminals. Some elements of the Defense Federal Acquisition Regulation Supplement (DFARS) compliance include having in place a:
- Security information and event management (SIEM)
- Comprehensive multi-factor authentication system
- Endpoint detection response (EDR) solution
- Vulnerability management solution
Depending on what area of the federal government your company contracts with, you may have additional obligations and cybersecurity duties as specified in your work agreement. Even small businesses or small-to-medium manufacturers are not exempt from enacting qualifying cybersecurity measures when contracting with the federal government. Free resources are available to ensure that your company is within compliance.
Other cybersecurity protocol examples include:
- FAR 52.202.21: Companies that sell supplies to the US government are required to comply with FAR regulations, which are a set of minimum cybersecurity protocols.
- The International Traffic in Arms Regulations (“ITAR,” 22 CFR 120-130): This regulatory protocol governs exports and imports involving defense goods and services. ITAR compliance is often in additional to DFARS requirements.
- Payment Card Industry Data Security Standard (PCI DSS): The PCI DSS is a separate security standard governing the secure transfer of financial and credit card information.
- Sarbanes-Oxley (Pub L. 107-204): This financial regulatory law requires publicly traded companies to enforce formal data security policies.
- The Children’s Online Privacy Protection Act (15 USC §6501 et seq.): The Children’s Online Privacy Protection Act governs data collection from minors.
- The Federal Trade Commission Act (15 USC § 41 et seq.): The FTC is a broad-reaching regulatory standard that allows for consumer action against companies that fail to meet basic cybersecurity policies protecting their personal and financial information.
- The General Data Protection Regulation (GDPR): The GDPR is a series of protocols that often applies to international contractors. It governs data security for residents of the European Union.
- Additional state laws and regulations: Some states have issued additional cybersecurity requirements for contractors doing business with state funds, as well as federal contracts, or who are located within certain jurisdictions.
Unfortunately, many contractors do not meet compliance standards for DFARS, NIST, the Cybersecurity Maturity Model Certification program (CMMC), or other required frameworks. A recent study of 300 U.S.-based DoD contractors found that only 13% currently qualify for a Supplier Risk Performance System (SPRS) score of 70 or above. Under DFARS, a score of 110 is required for full compliance.
In order to encourage and streamline cybersecurity protocol compliance, some federal agencies such as the GSA, NASA, and DoD have proposed new standardized contract language as well as the implementation of updated reporting measures. The proposed changes also include:
- Developing and maintaining software bills of materials (SBOMs) for all software used as part of a federal contract.
- Individual procurement certifications as well as system certification.
- Fuller collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) on incident response initiatives.
- FBI and DOJ access to “applicable contractor information and information systems” in the event of a cybersecurity incident.
DFARS, NIST, FAR, CMMC and other federal cybersecurity requirements are all reasonable standards to expect from contractors entrusted with important information. When companies fail to meet them, fail to report data breaches, or falsely certify that they are in compliance, they can be held accountable through the False Claims Act ever since the announcement of the Biden Administration’s 2021 Civil Cyber Fraud Initiative.
False Claims Act liability entails treble damages per violation as well as financial penalties assessed at the rate of inflation. The False Claims Act might be utilized against a contractor if they wrongfully certify that their protocols meet NIST or DFARS requirements, fail to report hacks or other cybersecurity incidents when bidding for contracts, or otherwise do not meet minimum data protection standards with the federal government.
Whistleblowers who report on cybersecurity non-compliance with federal contractors can be eligible to receive part of the settlement when they report the breach via the False Claims Act. A whistleblower payment may be anywhere from 15 to 30% of the overall recovery. Speaking with a cybersecurity fraud lawyer is the best way to ensure that your claim falls under all of the requirements to receive federal whistleblower benefits and protections.
Cybersecurity fraud whistleblowers are often insiders such as contractor employees, IT professionals, or competitors in the field. Your cybersecurity fraud attorney will be able to inform you about what kinds of proof are necessary in order to build your specific claim, as well as ensure that you only share what can legally be accepted in a court of law.
Not every whistleblower claim is taken up by federal investigators. Because of this, working with an experienced and reputable cybersecurity fraud law firm is the best way to ensure that your cybersecurity fraud whistleblower claim receives the fullest consideration possible. In the event that your claim is ignored or rejected, our whistleblower lawyers can also bring your case to court, fighting for you to receive the highest whistleblower award percentage possible in the event of a successful recovery.
For a complimentary and confidential consultation about your cybersecurity fraud whistleblower disclosure, contact the cyber fraud attorneys at Tycko & Zavareei LLP.