As predicted, whistleblower cases are becoming one key way in which federal contract cyber requirements will be enforced.  SAIC recently learned that the hard way when an employee, who allegedly tried to notify the company of his concerns was, instead, fired.  Unsurprisingly, he immediately turned around and filed a whistleblower suit against the company for its alleged indifference to cyber compliance matters.  Among the whistleblower’s complaints is that the company did nothing to address vulnerabilities in an IT solution being delivered to the Air Force in Germany.  In addition, the now former employee claims that SAIC was using incorrect metrics to report material information about cybersecurity-risk management to stockholders and the SEC.  These are some early indications of where cyber non-compliance allegations could originate.  Not only did SAIC take no action on these potential concerns, according to the complaint, the company systematically retaliated against the employee by suspending his telework privileges, demoting him, restricting his ability to use family and medical leave, and taking other steps before he was eventually fired over a year later.  While the case is still being litigated and, as such, no conclusion can be made about the allegations, SAIC’s behavior is pretty much exactly the opposite of what compliance attorneys and consultants recommend.  Retaliation is also specifically prohibited by FAR 3.903, which says, in pertinent part, “Contractors and subcontractors are prohibited from discharging, demoting, or otherwise discriminating against an employee as a reprisal for disclosing…Evidence of gross mismanagement of a Federal contract,” or a host of other situations.  Indeed, regardless of the outcome of the FCA case, SAIC will almost certainly have to pay more money and legal fees for the improper retaliation than if it had followed the rules.  Contractors can learn two lessons from this incident.  First, people are watching to see whether you’re compliant with your cyber requirements.  Second, retaliating against a whistleblower costs time and money while simultaneously providing the company with negative publicity.