Welcome to Defense TechCast, a new monthly webcast brought to you by ClearanceJobs and with host Leslie Weinstein, a cyber expert and U.S. Army major. This month Weinstein chats with Robert Metzger, attorney with the boutique law firm Rogers Joseph O’Donnell.
What is the False Claims Act?
The False Claims Act, also called the “Lincoln Law” enables the government to impose liability on those who overcharge the government or make false claims about their products. It is the government’s biggest stick in combatting fraud and recently made headlines due to a high profile case, Markus vs. Aerojet RocketDyne, was recently settled with a $9 million payment after allegations of cybersecurity violations. The case may be significant, but the number is just one among many cases involving the False Claims Act and the government’s role in ensuring the thousands of entities it does business with are indeed acting fairly.
“I think in 2021 there was $5.6 billion dollar recovered by DOJ or by whistleblowers who are acting in the government’s name,” noted Metzger. “Five billion of that, or about 89%, was against the healthcare industry. The Department of Justice is going to use the tools available to it to improve the conduct of companies and to bring actions…and recover damages from companies who fail to fulfill their cyber obligations.”
While the regulations are there, the ability to enforce them is another thing. Enter the Cybersecurity Maturity Model Certification (CMMC). The CMMC program outlines cyber protection standards for contractors in the Defense Industrial Base (DIB). While the goal is to safeguard information, it will also create a standard against which it will be easier to determine if a cyber violation has, in fact, occurred, which could merit prosecution.
“We don’t hear a lot of disputes if compliance was adequate,” noted Metzger. “CMMC is supposed to bring to us an assessment regime where we will have trained third party assessors who will look at, validate, and certify – or fail to certify – the actual security accomplishments of defense contractors. But that regime is not yet in place.”
Companies may be hesitant to launch into full compliance with CMMC, awaiting clearer guidance. “Cyber is not the clearest area for what is or isn’t compliant or sufficient,” said Metzger. But that is certainly not a reason to avoid shoring up cybersecurity capabilities, and more importantly ensuring adherence to existing policies and frameworks.
“The cost to defend a false claims act…is enormous, and the exposure is very large, moving toward gigantic,” said Metzger
Current policies, including DFAR 7012 and NIST 800.171 outline what ‘adequate’ security looks like and provide procedures on cyber incidents and what needs to be reported to the federal government.
What Can a Whistleblower Expect?
“Formally, whistleblowers are protected,” said Metzger. “I see whistleblowers ideally as serving a very valuable public purpose because their is misconduct that occurs in the defense industry and among federal contractors and it’s important for whistleblowers to bring those issues to public attention so the interest of the public in getting the value for those goods and services is protected.”
But being a whistleblower doesn’t come without a cost. While whistleblowers have formal protections, it’s typical for assignments to change or tasks to adjust. “It can be a tough road for a whistleblower,” said Metzger. The key is to be specific, and where possible attach issues to specific contracts rather than broader company policies.
What Should Defense Contractors Do?
As CMMC continues to gain traction and interest in a contractor’s role in cybersecurity grows, Metzger advises defense contractors to take cyber seriously.
“I take very seriously DOJ civil cyber fraud initiative,” said Metzger. The process is incredibly important, along with maintaining good documentation of assessing the allegation and the steps the company took.