DOJ Intervention in Cybersecurity Suit is a Harbinger of Cyber-Fraud Initiative’s Focus on Contractor Information Security Practices
April 23, 2024
The Department of Justice (“DOJ”) intervened in a first-of-its-kind False Claims Act (“FCA”) case by the United States government against a federal contractor accused of non-compliance with federal cybersecurity regulations. In United States ex rel. Craig v. Georgia Tech Research Corporation, et al., the government will pursue claims against two research organizations for purported failure to comply with the standards promulgated by the National Institute of Standards and Technology (“NIST”) for how federal contractors must secure and interact with government data and information.
Intervention in this case by DOJ is the first major cybersecurity-related FCA case DOJ has chosen to litigate since the government launched its Civil Cyber-Fraud Initiative; all prior cybersecurity-related FCA cases under this Initiative settled without reaching the litigation stage. According to DOJ, the Initiative seeks to hold companies accountable for putting US information or systems at risk by “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”1 As O’Melveny previously predicted, non-compliance with the NIST standards seems to be a focus of the Civil Cyber-Fraud Initiative, and the government’s intervention in this case should serve as a warning to all government contractors interacting with government information.
Ambiguity in the NIST standards creates FCA risk for government contractors
The FCA is the government’s “primary civil tool to redress false claims for federal funds and property involving government programs and operations.”2 Any entity that does business, directly or indirectly, with the government can be held liable for submitting or causing the submission of a false or fraudulent claim for payment.3 A defendant found liable under the FCA faces steep damages, including civil penalties for each claim for payment, actual damages valued at the amount the government paid towards the claims, and treble damages calculated at three times the amount of actual damages.4 In just the last fiscal year, the government has recovered $2.6 billion in FCA settlements and judgments, including around $4.3 million related to cybersecurity requirements.5
To further encourage compliance with federal laws and regulations, the FCA contains a qui tam provision that allows private individuals or “relators” to bring suit on behalf of the government and share in any recovery.6 Relators, often but not exclusively employees at companies being sued, bring the vast majority of FCA actions.7 Suits brought by relators are filed “under seal,” and are kept secret while DOJ determines whether it wants to intervene and litigate the case on behalf of the United States or allow the relator to pursue the case independently.8
Because federal contractors often must certify explicitly that they comply with federal requirements—statutory, regulatory, or contractual guidelines—FCA suits often concern whether a defendant’s certification was knowingly false. The FCA also covers “implied false certifications,” where a company faces liability for failing to disclose noncompliance with federal requirements even where it did not expressly certify compliance.9
Contractors face increased risk of FCA claims alleging false certifications when submitting claims for payment where program requirements lack clarity. The NIST cybersecurity guidelines are no exception. Federal regulations require contractors receiving or accessing “Controlled Unclassified Information” (“CUI”) to provide “adequate” security.10 “Adequate” is defined as, at minimum, compliance with NIST Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” (“NIST 800-171”).11 NIST 800-171 includes over 100 security requirements spread across fourteen sub-chapters covering topics including access control, incident response, personnel security, and system and information integrity.
In July, 2023, O’Melveny predicted that ambiguous and vague NIST provisions would provide opportunity for FCA relators or the government to assert that a contractor has misinterpreted the standards and, therefore, falsely certified compliance in violation of the FCA.12 As an example, NIST 800-171 section 3.11.2 states that a company should scan vulnerabilities in organizational systems and applications “periodically” and when new vulnerabilities affecting those systems are identified without providing any explicit instructions for how organizations should implement these scans or what “periodically” means. Although these standards are meant to provide flexibility in light of the constantly shifting cybersecurity landscape, their ambiguous requirements place contractors at risk of potential FCA liability in the wake of differing interpretations. With United States ex rel. Craig v. Georgia Tech Research Corporation, this prediction has come to pass.
The Georgia Tech case demonstrates the importance of implementing rigorous compliance procedures
In the 2022 complaint, two whistleblowers—a current employee and a former employee and graduate student at Georgia Institute of Technology—alleged that the university, Georgia Tech Research Corporation, and Georgia Tech Research Institute (collectively, “Georgia Tech”) submitted false self‐attestations of NIST compliance to the Department of Defense (“DOD”).13 As a DOD contractor focused on providing research for the government and industry, Georgia Tech was required to certify to the DOD that it had conducted a self‐assessment indicating the extent to which it had implemented NIST security requirements.14
But the complaint alleges that, in submitting these assessments, Georgia Tech relied upon unqualified, internal assessors to determine whether laboratory practices were NIST compliant.15 These assessors also allegedly failed to compile sufficient evidence to prove Georgia Tech was compliant with NIST standards. Since the teams and individuals charged with determining NIST compliance were also tasked with fixing the problems they identified, the complaint asserts that they faced a conflict of interest that resulted in prioritizing simply getting attestations on file so funding would be paid rather than ensuring Georgia Tech actually met NIST requirements.16 In April 2024, the United States intervened in the case, a clear signal that DOJ intends to pursue company compliance with NIST requirements going forward.
Because the allegations suggest Georgia Tech falsely certified it was compliant with DOD contractual and regulatory requirements, they present a textbook case of potential FCA liability predicated on alleged non‐compliance with NIST standards. The Complaint contends personnel across teams at Georgia Tech interpreted NIST controls in a way that allowed them to designate whatever actions they were already taking to be “compliant” and implement interpretations that effectively rendered security controls meaningless.17 Personnel also relied upon self‐selected evidence that was not sufficient to demonstrate actual compliance and failed to create essential security systems until two years after Georgia Tech began certifying NIST compliance.18 According to the Complaint, such practices failed to follow the contractual testing and verification requirements with which Georgia Tech had promised to comply, yielding alleged FCA violations.
While the complexity of cybersecurity requirements can be intimidating, in order to avoid potential litigation, as a best practice companies should consider investing time and resources into understanding their cybersecurity obligations and taking the appropriate steps to fulfill them. Companies should consider investing in internal personnel management and training to ensure all personnel are aware of both the importance of meeting NIST requirements and the steps necessary to fulfill those requirements. While there may be differences of opinions among internal business, compliance, and IT teams about whether general cybersecurity measures are sufficient, as a best practice companies should set clear expectations about what specific actions should be taken to meet NIST standards and what consequences may be implemented if such actions do not occur. Without clearly delineated expectations, companies run the risk that employees may fail to notice if they are making compliance misrepresentations or fail to address them, as allegedly occurred in Georgia Tech.
Companies should also review any existing compliance trainings or handbooks to find opportunities to enhance training and communication about reporting potential compliance issues within the company. That may involve providing a variety of ways for employees to flag their concerns about testing or verification processes, such as a hotline that permits employees to retain anonymity when raising issues. Annual or other regularly occurring trainings can demonstrate that companies take compliance concerns seriously in addition to providing crucial information about employee and company obligations. Such compliance efforts allow employees to escalate concerns if immediate supervisors fail to address them and to do so without fear of retaliation, avoiding the roadblocks that ultimately led the Georgia Tech whistleblowers to seek outside legal advice and file this Complaint.
Contractors may understandably have concerns about the often vague and broad NIST standards governing cybersecurity policies. The very ambiguity that permits flexibility and dynamism in responding to evolving threats also creates the risk that contractors will be accused of misinterpreting the standards and falsely certifying compliance with them to the government. Having a system in place that continuously vets and assesses procedures, and modifies them if necessary, helps demonstrate a contractor’s commitment to complying with NIST requirements.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sid Mody, an O’Melveny partner licensed to practice law in Texas; Amanda M. Santella, an O’Melveny partner licensed to practice law in the District of Columbia and Maryland; Danny S. Ashby, an O'Melveny partner licensed to practice law in Texas; Hannah E. Dunham, an O'Melveny counsel licensed to practice law in the District of Columbia and California; Carly Gibbs, an O'Melveny counsel licensed to practice law in the District of Columbia and California; and Joshua Goode, an O'Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
1 Press Release, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, (Oct. 6, 2021) available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
2 Id.
3 31 USC. § 3729.
4 Id.
5 Press Release, False Claims Act Settlements and Judgments Exceed $2.68 Billion in Fiscal Year 2023, DOJ (Feb. 22, 2024), available at https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-268-billion-fiscal-year-2023.
7 Supra note 5.
8 Supra note 6.
9 Universal Health Servs., Inc. v. United States ex rel. Escobar, 579 US 176, 190 (2016).
10 DFAR §§ 252.204-7012.
11 Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf.
12 Amanda Santella et al., Cybersecurity Challenges and the False Claims Act: Insights from the Supervalu Decision, ABA (July 20, 2023), available at https://www.americanbar.org/content/dam/aba/publications/criminaljustice/2023/santella-mody-dunham.pdf.
13 Complaint, ¶ 49, United States ex rel. Desai v. Georgia Tech Research Corporation, Case No. 1:22‐cv‐02698‐JPB (N.D. Ga. July 8, 2022).
14 Compl. ¶¶ 18, 21.
15 Compl. ¶ 31.
16 Compl. ¶¶ 41‐42.
17 Compl. ¶¶ 33‐35.
18 Compl. ¶¶ 37, 51‐53.