Complying with DOD Cybersecurity Regulations
On February 19, 2024, the Department of Justice (“DOJ”) notified the U.S. District Court for the Northern District of Georgia that it would intervene in a False Claims Act (“FCA”) case filed against Georgia Tech Research Corporation and Georgia Institute of Technology (collectively “Georgia Tech”) for not complying with the requirements of DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 (“NIST 800-171”).
All Department of Defense (“DOD”) solicitations and contracts contain DFARS clause 252.204-7012. DFARS 252.204-7012 requires a contractor to assess its compliance with 110 cybersecurity controls set out in the NIST 800-171 if the Company has controlled unclassified information. Specifically, pursuant to DFARS 252.204-7012, contractors must implement all of the NIST 800-171 requirements and upload the results of that assessment to the Department of Defense’s Supplier Performance Risk System (“SPRS”), or have a plan of action and milestones in place for any requirement the contractor has not yet implemented.
Here, the whistleblower complaint alleges that Georgia Tech falsely represented to the Government that its internal networks complied with DFARS 252.204-7012 and NIST SP 800-171. After a two-year investigation, the DOJ decided to intervene in the case.[1] DOJ’s intervention signals a shift in the Government’s attitude towards contractors’ compliance with NIST 800-171 controls. While officially contractors were required to comply with NIST 800-171 controls since December 31, 2017, the reality is that a sizable portion of the Defense Industrial Base has still not implemented all 110 NIST controls. DOD is aware of this reality but has generally allowed non-compliant contractors to continue working towards compliance. This case demonstrates that contractors that have not yet implemented the NIST 800-171 controls could be at risk of administrative, civil, and potentially criminal penalties unless they bring their covered information systems into compliance.
In the meantime, contractors should consider taking the following steps to mitigate any potential liabilities:
- Work with third parties to assess compliance with NIST 800-171. Rather than relying on internal assessments, contractors should work with third parties to assess compliance. Hiring third parties to assess NIST 800-171 compliance can produce a more objective assessment and limit potential exposure.
- Communicate with the government. Communication with the government will mitigate the risk of an FCA claim—DOD knows that many contractors’ covered information systems do not yet fully comply with NIST 800-171. A contractor can mitigate potential FCA risk by uploading accurate self-assessment scores into SPRS—this notifies DOD of a contractor’s NIST 800-171 compliance status. Notifying the DOD of any unimplemented NIST controls is not only required by DFARS 252.204-7012(b)(2)(ii)(C), but it can also reduce the contractor’s FCA risk because the government is now aware that the contractor does not fully comply with NIST 800-171.
- Leverage cloud service providers (“CSP”) where practical. There are many CSPs that provide DFARS 252.204-7012-compliant environments. By leveraging these CSPs, contractors can outsource much of their cybersecurity requirements to companies that specialize in providing compliant environments. This will, once again, help contractors limit potential exposure.
The Georgia Tech case highlights DOJ’s increased efforts under the Civil Cyber-Fraud Initiative. The Government’s intervention in this case shows that time is almost up for DOD contractors, and that they need to comply with DFARS 252.204-7012 and implement NIST SP 800-171 controls as soon as practicable.
[1] DOJ has not yet filed its Complaint in Intervention. DOJ has until June 24, 2024, to file its Complaint in Intervention. DOJ’s filing will provide more insight into the material issues of the case.