There is a common perception – one that’s especially popular among leaders and politicians – that the way to solve a problem is to pass a law. In the U.S., cybersecurity is a particular issue, and one the government has been trying to solve for almost a decade.
It has so far failed.
In June 2015, the U.S. OPM (Office of Personnel and Management) suffered a data breach affecting 21.5 million records. In 2020, a cyberattack by a Russian-backed group impacted a large swath of the U.S. federal government, state governments, and private companies.
These are just two notable examples. The Pentagon receives 36 million malicious emails every day.
There have been numerous attempts to tackle this problem, specifically in relation to the U.S. DoD (Department of Defense). The first was Executive Order 13636, which was signed on February 12, 2013 and required NIST (the National Institute of Standards and Technology) to create a cybersecurity framework within the next year.
More than two years later, in October 2015, NIST published SP 800-171, a cybersecurity framework that mirrored Annex A of ISO 27001.
Soon afterwards, 48 CFR § 252.204-7012 was created, requiring all DoD contractors to implement NIST SP 800-171 as soon as practical, but no later than December 31, 2017.
By 2019, it was obvious that this regulation was not working.
Filling the gaps
Despite the DoD’s best efforts, including incentivizing supplier compliance, the implementation of NIST SP 800-171 was much slower than expected. In fact, the DoD became concerned that most defense contractors maintained only the most basic of security hygiene standards.
To improve compliance, it instigated CMMC (Cybersecurity Maturity Model Certification). The program is remarkably like ISO 27001 certification, but with stronger audit requirements and weaker conflict of interest rules.
It has also been delayed until 2025.
To fill the gaps, five enforcement processes have been implemented. However, these require government action and, as such, are probably less effective.
The first is the DoJ’s (Department of Justice) Civil Cyber-Fraud Initiative, which aims to hold government contractors and grant recipients accountable under the FCA (False Claim Act) for violations involving cybersecurity-related fraud.
The second tool is breach of contract. Since 48 CFR § 252.204-7012 contains a clause meant to be inserted into a contract, the failure of a contractor to honor the clause would constitute a breach.
A breach based on a false statement might introduce the concept of fraud, which would increase the award.
The third tool is more interesting: A failure of a DoD contractor to implement appropriate cybersecurity measures would count as a violation of the FCA.
The FCA has two attractive provisions. First, it is meant to be punitive, so it allows for double damages and a $2,000 fine for each false claim.
The second provision, qui tam, is more effective, because it involves private parties.
Qui tam allows a private individual to receive compensation if they can prove a false claim. In most cases, the government does not take action against the defendant in a false claim case.
This might be because the contractor manufactures essential munitions or provides crucial services. A qui tam action would open non-compliant contractors to actions by mercenary plaintiff lawyers without government scruples.
The DoD’s fourth tool allows contracting officers to act directly without going to court.
In June 2022, the DoD circulated a memo that allows contracting officers to invoke penalties, including withholding of progress payments, not exercising options, or termination of the contract, if they determined that the contractor had failed to honor its cybersecurity obligations.
Finally, if the contractor is a company listed on an exchange, it can be subject to prosecution by the SEC (Securities and Exchange Commission). The failure of a listed firm to report a cybersecurity weakness can result in fines and potentially derivative lawsuits by affected stockholders.
However, the largest disincentive relates to the supply chain and not direct government action. Prime contractors are required to flow down the requirements of 252.204-7012 to sub-contractors. If they do not, they could be subject to non-payment, fraud claims, suspension, debarment, and criminal liability.
How IT Governance USA can help
In short, it is no longer possible for a DoD contractor to avoid its cybersecurity obligations. The contractor either cannot be considered by the prime contractor or runs the risk of an FCA action by a qui tam realtor.
IT Governance USA can help you meet your requirements. We have more than 20 years’ experience implementing cybersecurity frameworks and providing compliance support.
Our Privacy as a Service solution provides compliance tools as well as guidance from specialist lawyers and data protection and cybersecurity experts, who will guide you through the process of bolstering your data privacy processes and technologies.
The service can help organizations of any size with an array of tasks, including compliance monitoring, breach notification processes, and data privacy management.
