As the government places greater emphasis on cybersecurity obligations for contractors, disputes related to these issues are becoming more frequent. Already in the first half of 2022, there have been significant settlements under the False Claims Act and protests against offers to address these issues, and we expect this trend to continue.
Last month, the Department of Defense (DoD) issued a memorandum reminding DoD officials of their audit rights regarding cybersecurity compliance and outlining potential remedies in the event a contractor fails to perform its obligations, including “the withholding of progress payments; waive any remaining contractual options; and possibly terminate the contract in part or in full. Thus, it is important that contractors understand cybersecurity obligations in their solicitations and contracts and have a plan to demonstrate compliance.
This alert highlights several recent cases that may inform this planning.
As we have described in previous alerts, A Contractor’s knowing failure to comply with material cybersecurity requirements could expose the Contractor to liability under the False Claims Act. The recent Aerojet Rocketdyne regulation from April 2022, detailed in more detail in a Press release released by the Department of Justice last week illustrates this risk.
The Aerojet The suit was originally filed by Aerojet’s senior director of cybersecurity. He alleged that Aerojet fraudulently induces the government to enter into a contract with the aerospace company by failing to disclose the full extent of Aerojet’s non-compliance with the applicable Federal Defense Acquisition Regulations Supplement (DFARS). ) and National Aeronautics and Space Administration (NASA) cybersecurity requirements and sought $19 million in damages.
Although the evidence showed that Aerojet had communicated with the government about its non-compliance (including requesting a waiver of certain requirements), in its decision dismissing summary judgment, the court found that “there is a genuine dispute over a material fact as to the sufficiency of disclosures” related to cyber breaches suffered by the company and information gathered during cyber audits conducted by external firms.
The court also found that additional information was needed to determine whether the government considered these requirements material to the award of the contract. Aerojet paid $9 million to settle the case (of which $2.61 went to the whistleblower), although according to documents filed by Aerojet in the case, the government received the full economic value. contracts in question.
The first half of 2022 also included the first cybercrime-related regulations stemming from the Department of Justice’s Civilian Cyber Fraud Initiative. In March 2022, medical services contractor Comprehensive Health Services LLC paid $930,000 to settle allegations that it violated the False Claims Act by failing to store confidential medical records on a secure electronic medical records system, as he was contractually bound to do so. In announcing the settlement, the Senior Assistant Deputy Attorney General said the settlement “demonstrates[d] the department’s commitment to use its civil enforcement tools to prosecute government contractors who fail to meet required cybersecurity standards.
Public statements and government initiatives regarding cybersecurity, as well as the increased prevalence of cybersecurity requirements in contracts, suggest that the Aerojet and Comprehensive Health cases are likely only the first of many cybersecurity-related actions that will be launched by the government and whistleblowers in the future.
Cybersecurity requirements are also increasingly relevant in the context of bid protests. In its decision of March 2022 in American roll-on roll-off carrier group, the U.S. Government Accountability Office (GAO) dismissed a protest alleging the awardee misrepresented his cybersecurity compliance when he rated his Federal Risk and Authorization Management Procurement (FedRAMP) clearance level as “high” when it should have been “average”.
Although the GAO denied the protest, it assessed the merits of the allegations. Specifically, the GAO considered publicly available information and a statement from the successful bidder’s subcontractor to conclude that the successful bidder did not misrepresent its clearance level. The agency’s award decision is currently being challenged in the US Federal Claims Court, and the court will likely address FedRAMP’s claims in its decision on the merits expected later this year.
The GAO has reviewed other events involving cybersecurity-related challenges on their merits. Most recently, the GAO reviewed a protest alleging the awardee failed to report a gap assessment score in the DoD’s Supplier Performance Risk Management System (SPRS), as required by DFARS 252.204- 7019 and DFARS 252.204-7020. The GAO concluded that the protest was well-founded but nevertheless dismissed the protest because the protester failed to establish his prejudice. Similarly, in 2021, the GAO dismissed a protest challenging a sole-vendor award when the protester could not demonstrate that their solution had the required FedRAMP authorization, which was a mandatory minimum requirement for procurement.
While the protests discussed above were all dismissed, the decisions demonstrate that a winner’s failure to meet applicable cybersecurity requirements could form the basis of a meritorious bid challenge. The likelihood of cybersecurity-related protests will increase as agencies more frequently include cybersecurity requirements in solicitations as mandatory requirements and evaluation criteria.
Although we have not identified any notable cases involving cybersecurity-related claims filed under the Contract Dispute Act as of the first half of 2022, such claims remain a potential problem for government contractors. As noted above, the DoD specifically advised procurement officials that failure to comply with cybersecurity requirements could justify a claim for breach of contract or be grounds for termination for cause.
The recent cybersecurity compliance litigation demonstrates the growing need for contractors to be vigilant in their review of solicitation requirements and in the statements they make in proposals regarding cybersecurity compliance.