There’s a buzz in the air, and it’s not just autumn leaves rustling. The Department of Justice (DOJ) is becoming more aggressive in prosecuting organizations that fail to comply with their cybersecurity obligations under DFARS 7012 and 7019. These regulations require defense contractors and sub-contractors to implement adequate security measures to protect sensitive government information.
The consequences of non-compliance are severe. Companies can face direct and indirect costs of responding to investigations, penalties of up to three times the damage suffered by the government, and loss of current and future DoD contracts.
In this blog post, we will discuss the factors contributing to the escalating threat of False Claims Act charges through violations of DFARS 7012 and 7019, and we will provide some tips on how to avoid these charges.
What are DFARS 7012 and 7019?
- DFARS 7012: A 2017 rule saying, in essence, defense contractors need to keep Covered Defense Information (CDI) safe and sound, stick to the guidelines set by NIST (that’s the National Institute of Standards and Technology), and promptly let the DoD know about any cybersecurity hiccups.
- DFARS 7019: A slightly younger sibling from 2020, this rule lays out assessment levels (think of them as report cards) for security and demands that scores be reported to the DoD’s Supplier Performance Risk System. And yup, these scores matter when the DoD is picking its contractors.
False Claims Act and Cybersecurity
The False Claims Act (FCA) allows the government to penalize persons who knowingly submit false claims for government funds.
In the context of DFARS 7012 and 7019, signing a DoD contract shows that the person or organization is already adhering to the requirements. Slip-ups or, heaven forbid, any ‘alternative facts’ about your cybersecurity could land you in some hot water with FCA investigations.
Factors Contributing to the Escalating Threat
- Whistleblower Incentives: The FCA contains provisions incentivizing private citizens to report false claims. Whistleblowers have triggered FCA investigations that have led to significant settlements.
- DOJ’s Got Its Eyes Wide Open: The DOJ has launched a Civil Cyber-Fraud Initiative to identify and deter cyber vulnerabilities in companies contracting with the government.
- The High Price of Slipping Up: The financial repercussions of non-compliance are immense. Companies can face direct and indirect costs of responding to investigations, penalties of up to three times the damage suffered by the government, and loss of DoD contracts.
The Way Forward; Ensure Compliance: Protect information as required by DFARS and regularly prove this security.
- Update Regularly: Maintain and demonstrate adherence to all security requirements, including those in NIST 800-171.
- Open Communication: Always be transparent about compliance scores. Honest evaluations and ongoing improvements lead to better security and scores.
- Culture Matters: Create a culture emphasizing cybersecurity. Compliance isn’t a mere box-ticking exercise. The recent DOJ cases emphasize the importance of adequate cybersecurity measures.
Final Thoughts: Cybersecurity isn’t just a tech issue; it’s a business one. A proactive approach can save a lot of headaches down the road. If this feels daunting, remember, there are experts here at Planet ready to help.
Stay cyber smart!