Here is a bit of irony: In 1983, at Camp David, President Ronald Reagan was watching the great granddaddy of all hacker movies, War Games, about a computer program that was tampered with by kids – a program that just so happened to control the launch of nuclear missiles from NORAD. This movie made such an impression on Reagan that he issued National Security Decision Directive Number 145 in 1984 which stressed the importance of cybersecurity, including the “Review and approve all standards, techniques, systems and equipment for telecommunications and automated information systems security.”
The False Claims Act (FCA) was established in 1986 by Congress as a way to combat government contractor fraud during DoD buildup under President Reagan. So within two years of each other, almost 40 years ago, the genesis of cybersecurity standards that were to be followed and punishment for those who lie about them was created, probably without a single thought of how one would be related to the other.
Impact of the False Claims Act on Cybersecurity Requirements
Now, the two are almost inseparable as it relates to contract language: the procurement of any weapon system, part, other good or service by the government comes with strict assurances that the contractor as the other party complies with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, NIST SP 800-171, and other related cybersecurity standards.
Because of whistleblowers and self-identifying offenders, multiple FCA claims have been successfully prosecuted by the federal government over the past two years, against a variety of defendants, to include Verizon, Penn State University and Aerojet Rocketdyne. Besides the sitting DFARS and NIST standards, the Federal Acquisition Regulatory (FAR) Council is proposing more rules that cyber requirements be standardized amongst all unclassified federal information systems, the contractor with the government must share that cyber threat information, and all incidents are to be reported within eight hours of discovery.
Compliance Is Required for Contractors
It goes without saying that every part of a government contract as boilerplate as it may seem, is still a promise by one side or the other that they must comply with, whether it be terms of delivery, performance expectations, or that applicable standards are being followed. Anyone who has a role or part in that contract being executed also has the responsibility of not only compliance, but communication through the duration of the contract to procurement agents of the company that the terms of the contract are still being met.
