Carolyn R. Cody-Jones
A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.
The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information. Continue reading “Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward”
Carolyn R. Cody-Jones
The New Law
Shortly after passage by the Senate, President Trump signed the Small Business Runway Extension Act, P.L. No. 115-324, into law on December 17, 2018. The new law amends the Small Business Act to adjust the look-back period for calculating a company’s size based on average annual gross receipts from three years to five years.
Proponents of the law have lauded the assistance it will provide to growing small businesses, which in the past have been unceremoniously closed out of small business set-aside procurements before they have the resources to compete with larger government contractors. The longer look-back period benefits companies with lower revenue in prior years by allowing them to include those earlier years in calculating the company’s average annual receipts. The longer period also allows additional years of gross revenue to balance out a unique year of significant growth or income. Critics, however, worry this will hurt small businesses that must now compete with “larger” small businesses that remain eligible for small business set-aside procurements for longer. Continue reading “Small Business Runway Extension Act Adjusts Look-back Period from Three to Five Years for Calculating Size Determinations, but SBA May Not Immediately Implement the Law”
Scott Arnold and Carolyn Cody-Jones
The Fiscal Year (“FY”) 2019 National Defense Authorization Act (“NDAA”), H.R. 5515, 115th Cong., 2d Sess. (2018), passed both chambers of Congress at breakneck speed this year, the fastest pace in approximately 20 years, and was presented to President Trump on August 3, 2018. The bill enjoyed substantial bipartisan support in both the Senate and the House. It authorizes a $717 billion national defense budget and also reforms certain practices. Continue reading “Technical Data Rights Protections Eroded by FY19 NDAA”
Justin A. Chiarodo and Carolyn Cody-Jones
It’s almost here. After years of rulemaking, covered defense contractors will soon be fully subject to heightened cybersecurity standards for covered defense information (“CDI”) on IT systems under DFARS 252.204-7012, and contractors submitting new proposals will be representing that their systems are compliant with these security requirements pursuant to DFARS 252.204-7008. We discuss in this post seven compliance tips beyond the basics that are worth revisiting during this final compliance push. Continue reading “DFARS Cybersecurity Compliance Countdown: Are You Ready?”