DFARS and CMMC: Regulatory enforcement and recent actions

Enforcing cybersecurity compliance – 2022

Cybersecurity is without doubt the biggest non-financial risk public and private sector organizations face — a risk U.S. and European Union regulators are turning to regulatory enforcement to manage. The average cost of a cyberattack increased in 2021 to $4.24 million from $3.86 million in 2020. Also in 2021, ransomware became the predominant cyber threat confronting businesses of all sizes. Recent cyberattacks on SolarWinds, JBS Meat, Kaseya, Colonial Pipeline, and Toyota have demonstrated the impact of cybercrime on supply chains, and the cyberattacks by the Lapsus$ group demonstrated that low-level hackers can successfully disrupt major brands. Moreover, the Ukraine crisis is the world’s first geopolitical conflict using cyber alongside conventional weapons. In response to this level of risk, the U.S. and EU have begun to regulate or propose to regulate cybersecurity risk management, looking to the boards of impacted organizations to manage cybersecurity risk with board oversight, assurance, and regulatory compliance attestation and reporting. 

Cybersecurity enforcement regimes to consider

Clear messages from several Federal Agencies relating to the oversight, assurance and enforcement of regulations that can be applied to cybersecurity have been publicised in Quarter 4, 2021.

  • The Department of Justice (DoJ).  Launched a Civil Cyber-Fraud Initiative in October 2021 that will utilize the False Claims Act (FCA) to pursue cybersecurity related fraud by government contractors and grant recipients. The DoJ will use the FCA to pursue government contractors and federal grant recipients that “knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches.” DOJ will not limit enforcement to entities; individuals also can be held accountable for cybersecurity-related fraud. Under the False Claims Act, penalties for such violations could be substantial, including treble damages.  There is Precedence under the false claims FCA to charge companies for their failure to comply with DFRAS 252.204-7012.
  • The Department of Treasury (DoT).  In October 2021 the DoT issued an update on potential sanctions for facilitating ransomware payments under OFAC(Office of Foreign Assets Control).  The updated advisory highlighted the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action.  Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.  The advisory provides information for contacting relevant U.S. government agencies, including OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned.  Numerous individuals, groups and jurisdictions associated with ransomware have been sanction under OFAC.  Making it important that any organisation that undergoes a ransomware attack consults OFAC before making a payment, as the penalties are severe ranging from fines up to $20million and prison sentences as long as 30 years.
  • The Securities and Exchange Commission (SEC).  In September 2017 the SEC established a cyber enforcement division.  Focusing on violations involving digital assets, initial coin offerings and cryptocurrencies; cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; trading on the basis of hacked non-public information; and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms.  2021 has seen several enforcement actions including for failures of firms to implement appropriate cybersecurity policies and procedures exposing client data and misleading investors through false reporting of cyber incidents.  The SEC had plans in 2021 to issue ‘Cyber risk governance‘ legislation that is likely to require reporting of covered entities oversight and assurance of cyber risk to the SEC.  Plans that it deliver against with the release in March 2022 of a Cybersecurity Risk Management proposal for public firms under its regulatory oversight, pending a final release later in 2022 that will have a significant impact on both national and international market registrants under the Securities and Exchange Act 1934.
  • The EU Commission has jurisdiction over EU law.  That includes the oversight and assurance of both the EU Network and Information Security Directive (EU NIS 2.0 – 2022) and the proposed Digital Operational Resilience Act (DORA – 2022).

Cybersecurity enforcement Actions

2022 has seen a number of enforcement actions by the Department of Justice under the FCA that have specific relance to cybersecurity.  Setting precedence for further action as cybersecurity legislation develops in the U.S, impacting both National and International organisations.

  • Comprehensive Health Services LLC (CHS).  In March 2022 the Department of Justice’s (DoJ) resolved its first resolution of a False Claims Act case involving cyber fraud since the launch of the department’s Civil Cyber-Fraud Initiative, which aims to combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems. CHS LLC agreed to pay $930,000 to resolve allegations that it violated the False Claims Act (FCA) by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan.

CHS, located in Cape Canaveral, Florida, is a provider of global medical services that contracted to provide medical support services at government-run facilities in Iraq and Afghanistan.  Under one of its contracts, CHS submitted claims to the State Department for the cost of a secure electronic medical record (EMR) system to store all patients’ medical records, including the confidential identifying information of United States service members, diplomats, officials, and contractors working and receiving medical care in Iraq.  The United States alleged that, between 2012 and 2019, CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system. When CHS staff scanned medical records for the EMR system, CHS staff saved and left scanned copies of some records on an internal network drive, which was accessible to non-clinical staff. Even after staff raised concerns about the privacy of protected medical information, CHS did not take adequate steps to store the information exclusively on the EMR system.

Comprehensive Health Services LLC (CHS) settlement: https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical

  • Aerojet Rocketdyne.

    Aerojet Rocket dyne a U.S company that provides propulsion and power systems for launch vehicles, missiles and satellites and other space vehicles to the Department of Defense, NASA and other federal agencies.  Reached a settlement to resolve a lawsuit filled by a former Aerojet employee Brian Markus against Aerojet.  Under the qui tam or whistle-blower provisions of the False Claims Act (FCA).  That permits a private party (known as a relator) to file a lawsuit on behalf of the United States and receive a portion of any recovery

    Headquartered in El Segundo, California, Aerojet Rocket dyne agreed in April 2022 to pay $9 million to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.  Following a long-standing dispute relating to Aerojet Rocket dynes compliance to Federal Cybersecurity contractual requirements.

    The settlement of $9m results in the Mr. Markus receiving $2.6 Million of the FCA recovery.

    Aerojet Rocketdyne settlement: https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts