The False Claims Act goes back to the Civil War. My guess is, back then they were not worried about cybersecurity.
Since CMMC 1.0 was introduced there were quiet rumors that the DoJ was going to use the FCA to go after contractors who lie about their cybersecurity practices. Last fall the DoJ made it public.
The FCA allows the government to pay up to 30% of whatever fine they extract from the convicted contractor to the whistleblower.
What this means is that annoyed ex-employees and competitors might turn you in. It gives them payback and a handsome profit.
Last week the Federal District Court for the Eastern District of California denied Aerojet Rocketdyne’s attempt to get a lawsuit dismissed for falsely telling the government that it was complying with cybersecurity regulations when it was not. They were only partially successful. the FCA claim still stands and it could, potentially, cost them billions.
How did it start? In 2015 Aerojet’s FORMER senior director of cybersecurity, compliance and controls filed a qui tam action alleging that Aerojet was not in compliance with cybersecurity regulations of the DOD and NASA contracts that it held.
Brian Marcus, the whistleblower who turned them in, refused to sign certifications that they were in compliance and was fired shortly thereafter. After the government refused to step in, he amended the complaint to add:
- Promissory fraud
- False or fraudulent statement of record
- Conspiracy to submit false claims
- California labor code violation
- Wrongful termination
While Aerojet may or may not prevail in the end, this is definitely airing dirty laundry and every new contracting officer is going to be looking REAL hard at their security practices now.
Since this suit is old, we don’t know how many of these the government might file. Or whistleblowers.
What we do know is that the government had the opportunity to intervene and say that it knew about their non-compliance and was okay with it – AND CHOSE NOT TO DO THAT.
The moral of the story is to get compliant and if you are not compliant, let your customer know fully.
Credit: JD Supra