Carolyn R. Cody-Jones
A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.
The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information. Continue reading “Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward”
Blank Rome Partner Justin A. Chiarodo will be a presenter at BDO’s Winter 2019 Marketplace Outlook Update for Government Contractors, “Top 10 Trends and Compliance Obligations in the Evolving World of Commercial Item Procurement.” This live webinar will take place Thursday, February 28, 2019, from 12:30 to 1:30 p.m. EST.
For more information, please visit our website.
Michael Joseph Montalbano
Cost, schedule, and performance, the three pillars of defense procurement, may soon be accompanied by a fourth pillar: cybersecurity. As the nature of warfare evolves away from pure kinetic capabilities to the asymmetric, cyber realm, the Department of Defense (“DoD”) has had to grapple with the reality that its defense contractors are prime targets for infiltration. Indeed, in the February 2018 Worldwide Threat Assessment, Director of National Intelligence Daniel Coats specifically identifies defense contractors and IT communications firms as the primary focal points of China—one of the United States’ primary cyber adversaries. As a result of this new reality, DoD has begun the process of revamping the defense procurement system to place greater emphasis on cybersecurity. In response to these moves by DoD, contractors should take a fresh look at their current operations to identify their own cyber vulnerabilities as well as the vulnerabilities of their subcontractors, suppliers, and other partners. Without adequate preparation, contractors risk finding themselves at a significant disadvantage during future contract bids. Continue reading “Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards”
Justin A. Chiarodo and Carolyn Cody-Jones
It’s almost here. After years of rulemaking, covered defense contractors will soon be fully subject to heightened cybersecurity standards for covered defense information (“CDI”) on IT systems under DFARS 252.204-7012, and contractors submitting new proposals will be representing that their systems are compliant with these security requirements pursuant to DFARS 252.204-7008. We discuss in this post seven compliance tips beyond the basics that are worth revisiting during this final compliance push. Continue reading “DFARS Cybersecurity Compliance Countdown: Are You Ready?”
The Department of Homeland Security (“DHS”) recently issued three new proposed cybersecurity regulations for DHS contractors which warrant careful attention. Although a freeze on new regulations by the Trump administration will likely delay any final agency action, and extensive comments and meaningful changes to any final rules are expected, these new regulations could radically impact the compliance landscape for DHS contractors. As with recent cybersecurity amendments to the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) (which we’ve covered here and here), these proposed rules seek to impose more safeguarding, handling, reporting, and training requirements on covered contractors. We continue to see cybersecurity as a major business risk in the industry today, and recommend contractors pay close attention to their operational, technology, and risk management practices relating to cybersecurity. We highlight the key elements of the proposed rules below. Continue reading “DHS Contractor? Pricey New Cybersecurity Requirements (and Hidden Risks) May Await You”
There is no question cybersecurity is a critical compliance and risk area for federal contractors. A seemingly endless stream of cyberattacks—on corporate databases, government servers, even baby monitors—shows the breadth of these problems and the need for action. Government contractors have the added challenge of specialized regulatory obligations, with compliance (or non-compliance) having a direct impact on the value of their business. Continue reading “Does Your Cybersecurity Program Satisfy Recent DFARS Amendments?”
Justin A. Chiarodo and Philip Beshara
The government recently issued long-awaited amendments to the National Industrial Security Program Operating Manual (“NISPOM”). The amendments, known as Conforming Change 2, are targeted at combating insider threats and impose several new requirements warranting immediate action by contractors holding facility clearances.
There are four key elements to Change 2: (1) a mandated Insider Threat Program (“ITP”); (2) new cyber incident reporting requirements; (3) newly defined NISPOM components; and, (4) an updated standard for foreign-owned or controlled companies seeking access to proscribed information. We summarized these changes and provide implementation suggestions below.
I. Insider Threat – Mandated Insider Threat Program
Change 2 requires cleared contractors to have a written Insider Threat Program plan no later than November 30, 2016. The ITP must detect, deter, and mitigate insider threats consistent with the ITP requirements currently imposed on executive branch agencies (as set forth in Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs). Continue reading “NISPOM Conforming Change 2: What You Need to Know”