JUSTICE DEPARTMENT OFFICIALS INDICATE POSSIBLE USE OF FCA ON CYBER, CMMC COMPLIANCE
Some readers believe that we exaggerate the risks of contract non-compliance. We wrote recently about the potential for the Department of Justice to use the False Claims Act to pursue contractor culpability when supplying compromised SolarWinds solutions. We could see your eyes rolling from here. The Department of Justice helpfully backed us up last week, though, by sending a warning to government contractors that they will be turning up the False Claims Act heat on cybersecurity fraud. Acting Assistant Attorney General Brian Boynton told the Federal Bar Association Qui Tam Conference this week that it is not difficult to imagine a situation where False Claims Act liability may arise given what the government pays for systems or services that are supposed to comply with required cybersecurity standards. The bottom line: If your company provides a cybersecurity system that fails to meet stated federal requirements, or attests to a cyber standard that it does not meet, DOJ could pursue a False Claims Act case against you. Boynton went on to say that cybersecurity was one of six key priorities for the civil division when it comes to the False Claims Act. Contractors are on notice to ensure that they comply with any cyber standards included in an RFP or RFQ and that their company meets cyber-related standards such as CMMC. The cost of an FCA investigation starts at seven figures and can easily reach the mid-8 level, not including potential suspension or debarment. Keep that in mind when your company contemplates whether to spend six figures on a cyber compliance system. Conversely, if your company does meet required standards and your competitors do not, you now have a powerful tool that should give you an advantage. If a government customer still goes ahead and makes an award to a non-compliant company a whistleblower case you file can add to your bottom line.