Latest DOJ FCA Case Signals Further Crackdown on Contractors’ Cybersecurity Measures, Focus on Universities

DOJ Appears to Assert FCA Liability for Contractor’s Failure to Meet Prospective Targets in Cybersecurity Improvement Plan 

On Tuesday, October 22, the Department of Justice (“DOJ”) entered into a settlement with Pennsylvania State University (“Penn State”) to resolve allegations that Penn State violated the False Claims Act (“FCA”) by failing to comply with cybersecurity requirements in contracts involving the Department of Defense (“DOD”) and the National Aeronautics and Space Administration (“NASA”). The settlement concerns Penn State’s alleged non-compliance with the National Institute of Standards and Technology (“NIST”) standards that govern how federal contractors must process, store, transmit, and protect the confidentiality of Controlled Unclassified Information (“CUI”) received from the government. As with other recent suits by the government against contractors for non-compliance with NIST standards, DOJ’s allegations centered on statements included in Penn State’s self-attestations concerning its cybersecurity policies and procedures that were submitted to DOD as part of the contracting process. DOJ’s intervention represents the second significant FCA action by the government against a research university in the last six months. Notably, the covered conduct described in the settlement agreement included allegedly false statements about prospective plans for improving cybersecurity procedures—indicating that DOJ (and qui tam relators) may attempt to hold government contractors accountable for forward-looking statements of intent to implement cybersecurity measures, which creates significant risk in an area where standards and practices are so quickly evolving. 

NIST Standards and Federal Regulations Require Self-Attestations to Include Action Plans for Addressing Cybersecurity Vulnerabilities

Federal contractors receiving CUI are required to provide “adequate” security.¹ Adequate is defined as, at minimum, complying with NIST Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”² The NIST standards include over 100 requirements spread across fourteen sub-chapters covering topics such as access controls, awareness and training, and incident response.³ O’Melveny has previously noted that many of the NIST standards are ambiguous and vague and that contractors face risk that a private relator or the government may assert that a contractor’s attestations of compliance with the standards were false.

As part of the contracting process with DOD, federal contractors must submit a self-attestation to the Supplier Performance Risk System (“SPRS”) that includes an assessment of the contractor’s compliance with the NIST standards.⁴ The assessment must include the “date that all [NIST] requirements are expected to be implemented,”⁵ and a “plan of action and milestones” that includes “remediation actions to correct weaknesses or deficiencies noted during security assessments.”⁶ These remediation plans, and particularly the dates of completion, are a key component in the Penn State settlement. 

Penn State Settlement Indicates Government Focus on Targets Included in Remediation Plans 

In January 2023, a whistleblower filed a complaint under seal alleging that Penn State submitted false self-attestations of NIST compliance to DOD.⁷ Specifically, the complaint alleged that Penn State knowingly submitted generic placeholder risk assessments to the SPRS system for multiple government contracts without completing any actual risk assessment on the systems containing CUI.⁸ Further, the whistleblower alleged that these contracts remained active for several years before Penn State took any steps to complete an actual assessment or put in place any system security plans, and that at the time of filing the complaint, Penn State continued to be non-compliant with NIST standards.⁹

DOJ intervened for the purpose of settlement in October 2024, and alleged that “Penn State did not implement certain NIST SP 800-171 security requirements, and did not adequately document, develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in the systems involved in performance of those contracts.”¹⁰ And, importantly, that “in November 2020, Penn State disclosed in its submissions to the SPRS that it had not implemented certain NIST SP 800-171 Security requirements . . . [and] allegedly knowingly misstated, in its submissions to the SPRS, the dates by which it expected to implement all 110 of NIST SP 800-171’s requirements for those systems and failed to pursue plans of action for their implementation.”¹¹

DOJ’s characterization of Penn State’s conduct is notable for two reasons. First, by highlighting Penn State’s alleged failure to “implement plans of action designed to correct deficiencies,” the government is indicating a continued willingness to use the FCA to hold companies accountable for not improving cybersecurity procedures to meet NIST standards. Any deficiency documented in a SPRS filing therefore poses a risk to a contractor if steps are not taken to address and remediate the issue.

Second, the specific reference to allegations concerning misstatements related to “dates by which [Penn State] expected to implement all” of the NIST requirements raises an independent potential concern for any company that proposes a forward-looking plan of action and milestones as part of its SPRS filing. The extent to which liability under the FCA can hinge on a failure to achieve projected targets poses complex questions of law. But, at the extreme, the settlement suggests that the government may pursue FCA claims against a company for failing to fulfill projected future implementation plans or timing targets. To do so, the government would need to prove that the company knew at the time of submission that it did not intend to achieve the target dates. But, at minimum, the settlement highlights the need for contractors to be aware of any dates included in SPRS submissions and to ensure that they are taking meaningful steps towards achieving full NIST compliance.

The Penn State Case Demonstrates the Importance of Setting Realistic Deadlines and Keeping Plans on Track

DOJ’s actions demonstrate that contractors must do more than pay lip service to implementing a corrective action plan to avoid FCA claims. Even if a contractor intends and expects to ultimately achieve NIST compliance, obstacles often arise that derail attempts to do so. Implementing heightened security requirements may take more time or effort than expected. Intervening obligations, ranging from sales pressures to staffing difficulties, may pull away necessary manpower hours. And implementing a plan of action can be iterative in nature, such that remediating one problem could reveal another. Contractors should consider seeking to be realistic from the start in assessing their capabilities in achieving certain milestones of any implementation plan and setting deadlines by which different stages of an action plan will be achieved. Good intentions in setting ambitious deadlines may not satisfy DOJ should those deadlines be repeatedly missed.

Contractors should consider ensuring that there are individuals dedicated to monitoring the status of any corrective action plan or other ongoing efforts to achieve NIST compliance to ensure that these plans are on track. That sort of monitoring may include regular meetings with the teams or individuals focused on implementation, as well as reiterating the importance of meeting deadlines so that competing obligations don’t encroach upon the time and resources allocated for achieving compliance. Management should also consider ensuring that those in charge of ensuring compliance have the capacity to conduct the necessary monitoring, including potential audits, to ensure the contractor is on track to reach compliance. Should deadlines begin to slip, contractors should consider reallocating resources to bring compliance efforts back on track and stepping up the cadence of check-in calls or other monitoring efforts. Doing so will allow a contractor to represent to DOJ that implementation efforts are broadly on track and that the contractor is committed to NIST compliance. Documenting the good-faith reasons for any delay in implementation contemporaneously should also help insulate contractors from later accusations that they did not truly intend to complete the work on schedule.

Setting and meeting corrective action plan dates demonstrates a company’s commitment to addressing any identified issues and preventing future violations. DOJ’s intervention in Penn State indicates that it will scrutinize contractors who submit unrealistic dates of compliance with cybersecurity and fail to achieve them. Contractors looking to achieve NIST compliance should consider setting reasonable dates for compliance in any representations made to DOJ and allocate resources accordingly to ensure deadlines do not fall by the wayside. 

¹ DFAR §§ 252.204-7012.

² Ross R, Pillitteri V, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, National Institute of Standards and Technology (May 2024) (“NIST SP 800-171r3”) available https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.pdf.

³ NIST SP 800-171r3.

⁴ DFAR § 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements).

⁵ Id. 

⁶ NIST 800-171r3 § 3.12.02(a).

⁷Complaint, United States ex rel. Drecker v. Penn State, Case No. 2:22-cv-03895-LAS (E.D. Penn Jan.17, 2023).

⁸ Id. ¶ 75.

⁹ Id. ¶¶ 86-88.

¹⁰ Settlement Agreement, United States ex. Rel. Drecker v. Penn State, Case No. 2:22-cv-03895-LAS, ¶ F (E.D. Penn Oct. 22, 2024).

¹¹ Id. 

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sid Mody, an O’Melveny partner licensed to practice law in Texas; Amanda M. Santella, an O’Melveny partner licensed to practice law in the District of Columbia and Maryland; Benjamin D. Singer, an O’Melveny partner licensed to practice law in the District of Columbia and New York; Carly Gibbs, an O’Melveny counsel licensed to practice law in the District of Columbia and California; and Joshua Goode, an O’Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.