False Claims Act Warnings: A Wake-Up Call for Contractors and Universities to Bolster NIST Practices

In recent weeks, the world of cybersecurity compliance has witnessed an uptick in False Claims Act (FCA) activity, signaling a heightened focus on enforcing robust security measures.  

TL;DR: 

Taking proactive steps by making cybersecurity a top priority in compliance efforts can help organizations mitigate the risk of facing False Claims Act allegations; contractors must start taking the necessary steps to protect sensitive data in an appropriate manner.

Two landmark cases involving Penn State University and Verizon have thrust compliance with Department of Defense (DoD) cybersecurity obligations and the Civil-Cyber Fraud Initiative into the spotlight.  

These cases underscore the critical importance of not only understanding and adhering to government-mandated cybersecurity standards but also of fostering a culture of transparency, accountability, and diligence.

Penn State University Lawsuit 

On September 1, 2023, the U.S. District Court for the Eastern District of Pennsylvania unsealed a qui tam False Claims Act (FCA) lawsuit against Penn State University. This lawsuit revolves around allegations that Penn State failed to meet the cybersecurity standards required for Covered Defense Information (CDI) as specified in the DFARS 252.204-7012 clause. 

The lawsuit contends that Penn State University did not implement the full complement of 110 controls outlined in NIST SP 800-171, a critical component of DFARS cybersecurity compliance.  

Additionally, federal regulations mandate that DoD contractors conduct a self-assessment and report their compliance score in the DoD’s Supplier Performance Risk System (SPRS). The lawsuit also accuses the university of falsifying over 20 documents related to its compliance self-assessment.  

Astonishingly, it alleges that the university falsely claimed compliance since January 1, 2018, despite never achieving full DFARS compliance.  

Furthermore, the migration of some data to a commercial cloud-storage service is said to have jeopardized sensitive information. 

Significance of the Lawsuit 

This FCA whistleblower lawsuit carries notable implications.  

Firstly, it underscores that DoD contractors and subcontractors are vulnerable to whistleblower claims, particularly when faced with a multitude of required actions, like the 110 controls in this case. Therefore, ensuring accurate self-attestations and fostering a culture of transparency and accountability in cybersecurity is paramount in reducing the likelihood of employee whistleblowing.  

Secondly, universities and higher education institutions with government contracts must not assume immunity from cyber-related FCA claims. They must actively comprehend and adhere to government cybersecurity regulations. 

Lessons for Contractors and Universities 

Penn State University's case highlights the importance of accurate self-assessments, transparency, and accountability in cybersecurity practices to mitigate the risk of whistleblower claims. Furthermore, understanding and adhering to government regulations is imperative for all parties involved. As enforcement actions continue to rise, proactive measures in cybersecurity compliance are more crucial than ever. 

Contractors and universities should: 

• Revisit their cybersecurity posture, ensuring compliance efforts are underway and self-declarations are accurate. 
• Implement robust policies, procedures, and controls, and conduct continuous internal reviews to identify and address compliance gaps. 
• Take internal complaints seriously, engaging legal counsel or independent consultants for thorough investigations in line with actual compliance requirements. 

Verizon DOJ Civil-Cyber Fraud Initiative Settlement 

On September 5, 2023, the Department of Justice (DOJ) made public a notable resolution stemming from the Civil-Cyber Fraud Initiative. Verizon Business Network Services, LLC, has consented to a payment of $4,091,317 to settle accusations of lapses in upholding specific cybersecurity protocols for its Managed Trusted Internet Protocol Service (MTIPS). This service stands as a pivotal instrument for secure connections to the public internet and external networks utilized by federal agencies. 

The DOJ argued that Verizon's MTIPS offering did not entirely meet three crucial cybersecurity protocols concerning Trusted Internet Connections. This pertains specifically to General Services Administration (GSA) contracts that extended from 2017 to 2021. 

Verizon was commended for its proactive measures: 

• Voluntary disclosure of the issue 
• Launching an independent inquiry and compliance audit 
• Furnishing supplementary written disclosures 
• Extensive cooperation with the government's inquiry 
• Swift application of substantial corrective actions 

Out of the overall settlement, $2.7 million is assigned for restitution, while the remaining $1.3 million is attributed to the government's utilization of a multiplier, permitted under the False Claims Act (FCA). This approach is customary in situations where contractors voluntarily reveal noncompliance. 

This resolution emphasizes the critical significance of robust compliance frameworks within contractor entities. Cultivating an environment that fosters internal assessments, voluntary disclosures, comprehensive investigations, and collaboration with the government is of utmost importance.  

Such practices not only contribute to risk mitigation but also demonstrate a steadfast dedication to upholding cybersecurity compliance. 

Cybersecurity Standards Will Continue to Rise 

Federal contractors and universities must prioritize cybersecurity compliance, as the focus on this issue is set to intensify. 

Taking proactive steps, such as understanding and adhering to regulatory mandates, implementing strong compliance functions, and promptly addressing internal complaints, can help organizations mitigate the risk of facing FCA allegations. Making cybersecurity a top priority in compliance efforts is crucial, and contractors must start taking the necessary steps to protect sensitive data in an appropriate manner.