DOD Cybersecurity Interim Rule Brings New False Claims Act (FCA) Risks
If you are a DoD Contractor / Defense Industrial Base (DIB Company), you may already have been notified you need to comply with a new interim ruling.
You Can Find the Interim Rule HERE.
Many Prime Contractors are actively contacting Subcontractors and requiring them to submit their assessment scores to the Government. Letters are coming out now – check your mail and email: it may already be there.
Prime Contractors have the right to request this information based upon this regulation which goes into effect on November 30, 2020. The new Interim Rule DFARS clause 252.204-7019 will require the use of the NIST SP800-171 DoD Assessment Methodology with a standard scoring methodology and 3 assessment levels (Basic, Medium, High) to reflect the depth of the assessment. Self-assessments are “Basic” while “Medium” and “High” are done by the Government. This rule amends DFARS subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, to implement the NIST SP 800–171 DoD Assessment Methodology.
“All offerors that are required to implement NIST SP 800–171 on covered contractor information systems pursuant to DFARS clause 252.204–7012, will be required to complete a Basic Assessment and upload the resulting score to the Supplier Risk Management System (SPRS), DoD’s authoritative source for supplier and product performance information.”
You start with a score of 110 and then deduct the weighted points associated with not having a requirement fully completed (where you are relying on the SSP and POA&Ms). Did I mention that you can lose up to 313 points? That translates to a range of -203 to 110 points.
“The Basic Assessment is a self-assessment done by the contractor using a specific scoring methodology that tells the Department how many security requirements have not yet been implemented and is valid for three years. A company that has fully implemented all 110 NIST SP 800–171 security requirements, would have a score of 110 to report in SPRS for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subtract the total value from 110 to determine their score.”
In the past, DoD Contractors / Defense Industrial Base (DIB Companies) have been self-attesting to compliance with the DFARS. They were able to claim compliance with security controls using their own definitions of compliance and by pointing to a plan to correct issues in the form of a System Security Plan (SSP) and Plans of Actions & Milestones (POA&Ms).
Within the DFARS, DoD Contractors / Defense Industrial Base (DIB Companies) were able to legally state they met the obligations of the DFARS clause without fully complying with the regulatory requirements. So, if you are a DoD Contractor / Defense Industrial Base (DIB Company) who has been relying on a Security Plan (SSP) and Plans of Actions & Milestones (POA&Ms), we have got news for you. When you report your score to SPRS you will need to be fully transparent or else you could be guilty of filing a False Claim.
“The False Claims Act, also called the "Lincoln Law", is an American federal law that imposes liability on persons and companies who defraud governmental programs. It is the federal Government's primary litigation tool in combating fraud against the Government. The law includes a qui tam provision that allows people who are not affiliated with the government, called "relators" under the law, to file actions on behalf of the government. Persons filing under the Act stand to receive a portion of any recovered damages. As of 2019, over 71 percent of all FCA actions were initiated by whistleblowers. Claims under the law have typically involved health care, military, or other government spending programs, and dominate the list of largest pharmaceutical settlements. The government has recovered more than $62 billion under the False Claims Act between 1987 and 2019.” https://en.wikipedia.org/wiki/False_Claims_Act
The DoD is reserving the right to come in and audit your compliance and the last thing you want is to be caught in a False Claims Act violation. Prosecution for False Claims are a huge threat to your business. Many companies never recover from the prosecution and need to shut down.
If you haven’t already used the methodology to review your compliance posture you better get started ASAP. You will need to provide this information very soon.
This is where “(You're) Damned If You Do and Damned If You Don't” comes into play. If you do not measure your compliance posture, you cannot comply with the requirement and the DoD will get involved. If you do measure your compliance posture and you do not get a good score, the DoD will get involved.
My advice is report now and report accurately. The DoD needs to see how many DoD Contractors / Defense Industrial Base (DIB Companies) were heavily relying on an SSP and POA&Ms so they can get a true understanding of the entire industries compliance posture.
I believe the DoD thinks most of you are near compliant and I suspect that may not really be the case. You can see this within the DoD’s estimates of what they expect this ruling and the CMMC program will cost DoD Contractors / Defense Industrial Base (DIB Companies). They appear to be underestimating the costs significantly by assuming you are already 100% compliant or close to that mark. I believe the DoD thinks the average score is going to be a positive number.
If the results come back and a huge percentage of DoD Contractors / Defense Industrial Base (DIB Companies) report negative numbers, the DoD will have no choice but to work with industry to adjust compliance timelines and or fund “get well” projects. I believe the real average score is going to be a negative number. Now is the time for you to tell your story. The DoD Interim Rule has been in effect since 30 November 2020, so you need to report. Get your score together and tell the DoD where you stand. Until the DoD sees the industry’s real compliance posture, they are not going to know the actual situation. And please, report accurately – the last thing you need is a lawsuit based on the False Claims Act.