DFARS and CMMC 2.0: Regulatory enforcement

Enforcing DFARS 252.204-7012, 7019 and 7020

Cybersecurity implementation has always been difficult to accomplish within the private sector where boards have historically perceived cyber to be an added cost that delivers little or not benefit to revenue generation or cost containment.  For many years the ‘it won’t happen to me’ or ‘I have cyber insurance’ has been the main message that corporate boards rooms have used for non-compliance. 

But cyber is considered by many nations as a National Security issue and market forces themselves do not work to manage cyber security. In the case of the US, IP has been compromised for several years by other nation states and their proxy’s that have profited from US R&D, using Cyber as a tool for National and Corporate IP theft, the disruption of CNI and public and private sectors.  Congress is pushing more cyber regulation in 2021 than it has in the previous 20 years. The legislative and regulatory agenda that includes DFARS 252.204-7012, 7019, 7020 and CMMC are prime examples of this and where the regulatory ‘stick’ appears to be driving US ‘defensive’ cyber strategy. 

Enforcement regimes

Clear messages from several Federal Agencies relating to the oversight, assurance and enforcement of  regulations that can be applied to cyber security have been publicised in Quarter 4, 2021.

  • The Department of Justice (DoJ).  Launched a Civil Cyber-Fraud Initiative in October 2021 that will utilize the False Claims Act (FCA) to pursue cybersecurity related fraud by government contractors and grant recipients. The DoJ will use the FCA to pursue government contractors and federal grant recipients that “knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches.” DOJ will not limit enforcement to entities; individuals also can be held accountable for cybersecurity-related fraud. Under the False Claims Act, penalties for such violations could be substantial, including treble damages.  There is Precedence under the false claims FCA to charge companies for their failure to comply with DFRAS 252.204-7012.
  • The Department of Treasury (DoT).  In October 2021 the DoT issued an update on potential sanctions for facilitating ransomware payments under OFAC(Office of Foreign Assets Control).  The updated advisory highlighted the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action.  Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.  The advisory provides information for contacting relevant U.S. government agencies, including OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned.  Numerous individuals, groups and jurisdictions associated with ransomware have been sanction under OFAC.  Making it important that any organisation that undergoes a ransomware attack consults OFAC before making a payment, as the penalties are severe ranging from fines up to $20million and prison sentences as long as 30 years.
  • The Securities and Exchange Commission (SEC).  In September 2017 the SEC established a cyber enforcement division.  Focusing on violations involving digital assets, initial coin offerings and cryptocurrencies; cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; trading on the basis of hacked non-public information; and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms.  2021 has seen several enforcement actions including for failures of firms to implement appropriate cybersecurity policies and procedures exposing client data and misleading investors through false reporting of cyber incidents.  The SEC has plans in 2021 to issue ‘Cyber risk governance‘ legislation that is likely to require reporting of covered entities oversight and assurance of cyber risk to the SEC.

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts