In the digital age, contractors working with the U.S. Department of Defense (DoD) must comply with stringent cybersecurity standards under regulations like DFARS and the CMMC to protect the government’s sensitive information. Yet, despite these requirements, and the rise of cyber threats, some contractors may fall short of their obligations, either through negligence or willful disregard
This article delves into the ethical, legal, and practical considerations that potential whistleblowers should weigh when deciding whether to come forward, along with the type of information necessary to substantiate a claim under the False Claims Act (FCA).
The Importance of Reporting Cyberfraud
Cybersecurity failures in the DoD supply chain create risks to national security at all levels, by leaving sensitive information vulnerable to theft and exploitation by adversaries. Whistleblowers can play a key role in maintaining accountability of defense contractors to DFARS and CMMC standards. In October 2021, the Department of Justice (DOJ) launched its Civil Cyberfraud Initiative to combat cybersecurity fraud among government contractors and federal grant recipients. The aim of the initiative is to hold accountable those who provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or fail to meet their obligations to monitor and report cybersecurity incidents and breaches. The DOJ uses the whistleblower provisions of the False Claims Act to protect sensitive information and critical systems from emerging cyber threats.
The False Claims Act or “FCA” allows private citizens to file claims on behalf of the government in cases of fraud and provides a legal mechanism for whistleblowers to come forward and be rewarded for doing so. Under the FCA, a contractor that knowingly submits false claims for payment or falsely certifies compliance with material contract terms—such as DFARS cybersecurity obligations—can be held liable for damages. If successful, whistleblowers (known as “relators”) are entitled to a percentage of any funds recovered by the government, often between 15-30% of the total recovery.
Success of the Civil Cyberfraud Initiative
The Civil Cyberfraud Initiative has already led to significant enforcement actions.
The DOJ’s first FCA settlement under the Civil Cyberfraud Initiative, a $930,000 settlement with a medical services contractor, involved allegations of cybersecurity failures in medical record systems. This set a precedent for subsequent enforcement actions targeting cybersecurity fraud. Another case against Verizon, a cooperating federal contractor, resolved its liability for $4 million. The settlement resolved allegations that Verizon failed to fully implement required cybersecurity controls related to Verizon’s Managed Trusted Internet Protocol Service (MTIPS), which is designed to provide federal agencies like General Services Administration (GSA) with secure connections to the public internet and other external networks (“Trusted Internet Connections”) from 2017 to 2021.
In 2022, Aerojet Rocketdyne settled for $9 million over allegations that it misrepresented its cybersecurity practices in contracts with the DoD and NASA, violating the False Claims Act. The whistleblower, a former Aerojet employee, provided crucial insights into the company’s failures, such as not implementing the required cybersecurity measures for controlled unclassified information (CUI).
More recently, the Department of Justice intervened in a lawsuit against Georgia Tech, alleging that the university failed to meet federal cybersecurity requirements in DoD contracts. Georgia Tech allegedly neglected to implement critical cybersecurity measures and falsely reported its compliance, jeopardizing sensitive government information.
Factors for Consideration Under the False Claims Act
In deciding whether to blow the whistle on cybersecurity fraud, potential whistleblowers should consider several factors:
Ethical Responsibility: Failing to report cyberfraud may enable continued non-compliance, increasing the risk of a data breach or national security threat. Reporting such misconduct serves the public interest. An individual working in the DoD contracting sphere should be highly familiar with the ethical and legal implications of failing to abide by cybersecurity regulations, which is tantamount to a contractor misappropriating federal funding.
Legal Protections: The FCA offers protections against retaliation, meaning whistleblowers cannot legally be fired, demoted, or otherwise penalized for coming forward.
Consequences of Non-Compliance: Contractors found guilty of cyberfraud face significant penalties, including treble (triple) damages and civil penalties, which can serve as a deterrent to future violations and future violators. For whistleblowers, this means that their actions can help ensure that all contractors are held to high cybersecurity standards.
Who Can Blow the Whistle?
When it comes to detecting and reporting cybersecurity fraud, certain roles within a defense contractor’s organization are best positioned to blow the whistle. As a function of their jobs, Information Technology professionals typically have visibility into cybersecurity systems, network infrastructure, compliance documentation, and the internal processes required to ensure compliance. Employees like Chief Information Security Officers (CISOs), Cybersecurity Compliance Managers, and IT Directors often have direct access to systems and documentation that reveal non-compliance. You can find more information about what positions are most applicable here .
What Information Should a Whistleblower Have When Reporting Fraud?
Filing an FCA claim based on cyberfraud requires more than just suspicion. A whistleblower must present specific and credible information to substantiate allegations of non-compliance with DFARS or CMMC requirements, such as:
1. Detailed Information on Cybersecurity Non-Compliance
The whistleblower should gather documentation or knowledge showing that the contractor is not meeting the necessary cybersecurity requirements under DFARS clause 252.204-7012 or CMMC standards. This could include the contractor’s:
• Failure to implement required security controls for protecting Controlled Unclassified Information (CUI);
• Low Supplier Performance Risk System (SPRS) scores and an unrealistic Plan of Action and Milestones (POA&Ms) to address deficiencies;
• Failure to have a System Security Plan (SSP);
• Inadequate access controls (weak password protocols, lack of multi-factor authentication, improper data encryption); or
• Failure to notify the DoD of data breaches within the required 72-hour timeframe.
2. Evidence of False Certification or Misrepresentation:
Under the FCA, a key element is whether the contractor knowingly made false statements or certifications to the government regarding its compliance. The whistleblower should gather:
• Documents showing the contractor certified compliance with DFARS or CMMC, despite knowing they were non-compliant, such as the submission of false SPRS scores to the government.
• Internal communications, such as emails or reports, where management acknowledges cybersecurity gaps but fails to take corrective action.
• Billing or invoicing records submitted to the DoD that falsely claim compliance with cybersecurity regulations.
3. Proof of Knowledge or Recklessness
The FCA also requires that the contractor acted with knowledge or reckless disregard for the truth. Evidence of intent or recklessness can include:
• Internal audits or assessments that flagged cybersecurity deficiencies, but were ignored or concealed by management.
• Correspondence with third-party auditors (such as those C3PAOs that conduct CMMC assessments) highlighting discrepancies between reported compliance and actual cybersecurity practices.
• Records of previous cybersecurity incidents or breaches that were not properly addressed or reported.
4. Documentation of the Contractor’s Misconduct Over Time
Often, a whistleblower will have access to information that shows a pattern of misconduct rather than a one-time failure. Whistleblowers should gather:
• Historical data on cybersecurity incidents, breaches, or failures to meet regulatory requirements.
• Evidence showing the contractor has a track record of resistance to implementation of cybersecurity measures, cutting corners on cybersecurity to save costs or expedite contract performance.
Defense contractors have been responsible for complying with an evolving set of cybersecurity regulations for years – and each contractor should have an established performance and compliance history. Under DFARS 7012, contractors have been required to implement the 110 controls of NIST SP 800-171, or have a POA&M to implement the controls, by December 31, 2017. Furthermore, at the time of contract, and as a condition of contract, pursuant to DFARS 7008(c)(1), all contractors, by submission of their offers, certify and represent that they will comply with DFARS 7012 and implement the controls outlined in NIST SP 800-171.
Practical Considerations for Whistleblowers
While the decision to report cyberfraud is often driven by ethical considerations, there are practical factors that whistleblowers ought to take into account.
Although FCA claims are filed under seal (meaning they are initially kept confidential), whistleblowers should be prepared for the possibility that their identities may eventually be revealed during the course of litigation. Retaliation, though illegal, remains a concern for many, and whistleblowers often face personal and professional risks. Consulting with an attorney experienced in whistleblower actions can help mitigate these risks and guide whistleblowers through the process.
It is also important to note that not every case of cyberfraud will lead to a successful FCA claim. The whistleblower must demonstrate that the non-compliance was material to the government’s decision to pay the contractor, meaning the government would not have paid the contractor if it had known about the cybersecurity violations.
Blowing the whistle on cyberfraud involving DoD contracts is a weighty decision that requires thoughtful action and courage. Potential whistleblowers must weigh their ethical duty against the personal and professional risks, all while ensuring they have sufficient evidence to back their claims.
If you suspect cyberfraud involving DoD contracts, now is the time to act. By gathering credible evidence and partnering with experienced legal counsel, you can help safeguard national security, while ensuring your claims are strong and successful. Take a stand—your actions could make all the difference.