The United States Department of Justice (DOJ) has announced that it will start holding companies that have government contracts—and receive federal funding—accountable if they’ve put US information or systems at risk.
Using the False Claims Act, the Civil Cyber-Fraud Initiative will seek out cybersecurity fraud committed by companies receiving federal grants and contracts. This announcement follows a concerted effort by the DOJ to tighten cybersecurity and challenge the belief “that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Lisa O. Monaco.
Does This Initiative Include DoD Contractors?
Although not explicitly highlighted by the DOJ, Department of Defense (DoD) contractors are undoubtedly expected to meet cybersecurity requirements and are at litigious risk if they’ve:
- knowingly misrepresented their cybersecurity practices and protocols
- violated obligations to monitor and report cybersecurity incidents and breaches
This new initiative comes at the heels of the rollout of the Cybersecurity Maturity Model Certification (CMMC) program, which was created to enforce DFARS. This law requires all DoD suppliers to implement stringent cybersecurity controls within their organizations.
What This Means for DoD Suppliers?
DoD Suppliers should be concerned if their documented cybersecurity practices and protocols are non-existent or have been poorly or carelessly implemented. If so, they could find themselves in a time-consuming legal battle or, if found guilty, face stiff penalties and fines. Companies that hastily submitted their SPRS scores into the Supplier Performance Risk System (SPRS) should be especially worried.
“Since the passing of DFARS, we have always strongly urged DoD suppliers to take their cybersecurity very seriously, but this new clampdown from the government makes complete documentation and verified implementation for cybersecurity controls more urgent than ever,” says John Renders, Cybersecurity Director at Brightline IT—a company that specializes in helping DoD contractors prepare for CMMC.
“DoD contractors who have thoroughly prepared for CMMC, either by themselves or by outsourcing the task to a provider such as Brightline IT, will be best equipped to mount their defense against DOJ prosecutors in the event of a cyber breach or allegations of false claims,” John added.
How DoD Contractors Can Reduce Their Liability Risk and Prepare
DFARS has been the law since 2017, and many DoD contractors have taken the steps necessary to prepare for CMMC thoroughly. Whether carried out by in-house teams or outsourcing to a 3rd-party provider, preparation typically involves three major steps:
- Compliance Assessment: A detailed assessment of your current IT infrastructure is performed and compared against the cybersecurity controls required in NIST SP 800-171. In this first step, the System Security Plan (SSP) and Plan of Action and Milestones (POA&M) are developed so that contractors can provide documented evidence to the DoD or Prime that they are on their way towards compliance. This assessment then serves as the basis for the creation of the remediation plan.
- Remediation: In this step, contractors address the items called out in the POA&M. This can be as simple as implementing multi-factor authentication and security awareness training or as complex as refreshing an entire aging technology infrastructure, depending on the current state of your IT systems.
- Cybersecurity Monitoring & Response: Ongoing advanced cybersecurity monitoring and incident response capabilities are required to remain CMMC compliant. If a cyber incident occurs, contractors must notify the DoD through the DIBNet Portal within 72 hours. Contractors must also constantly assess and maintain the NIST 800-171 controls over time as systems change and fall out of alignment.
Request a Consultation
The DOJ also underscored their Civil Division’s Fraud Section, where anyone can report cybersecurity fraud or negligence.
If you’re a DoD contractor concerned about cybersecurity compliance within your organization, feel free to give us a call to request a consultation. We’ve helped companies throughout the United States implement NIST 800-171 controls and prepare for CMMC.