Since 2021, the Department of Justice (DOJ) has been increasingly focused on adjudicating False Claims Act (FCA) matters for deficient cybersecurity practices. As the government increases scrutiny of data privacy and cybersecurity, it is increasingly important to develop and maintain robust cybersecurity systems, educate employees, and ensure adequate risk management. Taking time now to shore up your data privacy and cybersecurity will help to avoid FCA challenges in the future.
Cybersecurity
DOJ Posts Near-Record Year of False Claim Act Settlements and Judgments
Cybersecurity-related FCA cases poised to increase as FCA enforcement ramps up
On February 7, 2023, the Department of Justice (DOJ) announced that settlements and judgments under the False Claims Act exceeded $2.2 billion during the 2022 fiscal year and that the government posted its second-highest number of settlements and judgments in a single year.
Mandatory Breach Notification Requirements for Government Contractors are Almost Here
President Biden’s newly released Executive Order on Improving the Nation’s Cybersecurity represents a comprehensive approach to tackling cybersecurity threats in the U.S. and will likely result in new FAR and DFARS contract requirements. It represents the next step towards the inclusion of mandatory breach notifications in government contracts following widespread speculation that breach notification requirements were on the horizon.
Six contracting policy changes in the FY 2015 National Defense Authorization Act
The Senate passed the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015 [pdf] on Friday, December 12, 2014. President Obama is expected to sign the bill into law. The $585 billion bill authorizes the Pentagon’s activities in FY 2015. It includes $521.3 billion in base defense spending and another $64 billion in war funding. Here is a summary of the procurement reform initiatives that will be relevant to contractors in the upcoming year:
- Cyber incident reporting for operationally critical contractors. Section 1632 of the 2015 NDAA directs the Secretary of Defense to designate and notify “operationally critical contractors,” a term narrowly defined in the bill. After notification, designated contractors will be required to report to the Department of Defense each cyber incident with respect to any network or information system of such contractor. Reports must include: an assessment of the effect on the contractor’s ability to meet the Department’s contractual requirements; the technique used in the cyber incident; any sample of malicious software obtained; and a summary of information compromised by the incident. Despite the disclosure requirement, section 1632 provides for protection of contractor trade secrets and confidential commercial or financial information. It also limits the dissemination of information obtained to relevant entities and agencies.
- Enhanced authority for non-DOD Chief Information Officers. Section 831 of the NDAA increases the role of Chief Information Officers of agencies other than the Department of Defense. It provides that an agency may not enter into a contract for information technology unless the contract has first been reviewed and approved by the agency’s Chief Information Officer. The head of each covered agency must ensure that its Chief Information Officer has a significant role in all annual and multi-year planning, budgeting, and reporting related to information technology. The bill requires the Director of OMB and the Chief Information Officers of appropriate agencies to increase the efficiency and effectiveness of information technology investments and to develop opportunities to consolidate the acquisition and management of information technology services. The Chief Information Officer of each covered agency is directed to inventory agency data centers and develop a multi-year strategy for consolidation and optimization of those data centers inventoried.
- DOD CIO positions consolidated. Section 901 of the 2015 NDAA incorporates a DOD proposal to combine the positions of Chief Information Officer and Deputy Chief Management Officer into the position of Under Secretary of Defense for Business Management and Information. The new Under Secretary will oversee business operations, personnel, and IT projects and will be appointed by the President with the advice and consent of the Senate. This change will not take place until the next administration.
Three new grounds for bid protests in a cyber secure world
No one will argue against the need to improve cybersecurity. We should limit the vulnerability of critical infrastructure and preserve the confidentiality of military technology, private company trade secrets, and individual medical records.
But there is a significant cost to upgrade IT systems in order to achieve this goal. The federal government will pay more to contractors who can meet heightened cybersecurity standards. If cybersecurity standards are too restrictive, qualified contractors will be driven away from federal contracting. At a minimum, new cybersecurity standards will mean more grounds for bid protests, which are the focus of this post.
First, the background
Executive Order No. 13636 (Feb. 12, 2013) [pdf] called for agencies to publish guidance on mitigating cybersecurity threats in federal procurement. In November 2013, DOD and GSA released a joint report recommending that compliance with an established cybersecurity protocol be a precondition to the award of information and communication technology (“ICT”) contracts. See Improving Cybersecurity and Resilience through Acquisition, Final Report of the Department of Defense and General Services Administration (Nov. 2013) [pdf].
The National Institute for Standards and Technology (“NIST”) released its voluntary framework for improving cybersecurity for critical infrastructure in February 2014. See Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, 2014) [pdf]. The NIST Framework is a tool for organizations seeking to measure and improve their cybersecurity programs against an ideal. The Framework encourages organizations to improve their cybersecurity programs “when such a change would reduce cybersecurity risk and be cost effective.” Compliance is not yet mandatory, but legislation incentivizing or requiring compliance should be expected.
These are by no means the first cybersecurity standards for federal contractors, but they would broaden and increase existing requirements. As they are implemented, cybersecurity requirements will certainly lead to an increase in pre- and post-award bid protests for ICT contracts. We see them principally in three areas.
DoD’s new cybersecurity rules on unclassified “controlled technical information”
The United States Defense Department has published a final cybersecurity regulation concerning unclassified “controlled technical information.” See 78 Fed. Reg. 69,273 (Nov. 18, 2013) [pdf]. The objective of the regulation is to require contractors to maintain “adequate security” on unclassified information systems on which CTI may reside or transit and to implement detailed reporting requirements for “cyber incidents.” The final rule is narrower than the proposed regulation, which sought to safeguard unclassified DoD information generally. See 76 Fed. Reg. 38,089 (June 29, 2011) [pdf].
Definition of CTI
The final rule includes a new DFARS provision (DFARS 204.7300) and a DFARS contract clause (DFARS 252.204.7012), which impose new security measures and reporting requirements on contractors and subcontractors whose work involves unclassified “controlled technical information resident on or transiting through contractor information systems.”
The rule broadly defines CTI as “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” DFARS 204.7301.
The term “technical information” is further defined to mean “recorded information, regardless of the form or method of the recording, of a scientific or technical nature . . . .” See DFARS 252.227-7013. Examples of technical information include research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
While this is a broad definition, comments on the new rule limit its application to information requiring controls pursuant to DoD Instruction 5230.24 [pdf] and DoD Directive 5230.25 [pdf]. Contractors should not have to devote resources simply to the task of determining whether information is CTI or not.