Penalties: Case Studies
(An Excerpt from Craig’s newest book: “Ultimate Guide to CMMC: How to Access Millions in Government Contracts”)
As we have established, it is clear that the “self-reporting” and “honor system” for government contractors who are required to abide by NIST 800-171 to gain government contracts is NOT working.
But just because everyone else is doing it means that you can, too, right?
I mean, technically you can, but not without potential repercussions.
While you run the risk of breach of contract for lying to the government, you are also subject to the False Claims Act (FCA), which allows the government to impose both civil and criminal suits on any entity that lies to the government in order to get paid per 31 U.S.C. § 3729(a)(1)(A) & (B). This clause has proven to be very effective because they allow for any private citizen (called a “realtor”) to essentially whistleblow any company that is untruthful to the US government, in what is called a “qui tam” civil lawsuit. And the penalties are no joke…
Any business found to be in violation of the FCA faces penalties of up to three times the amount of “real damages” the Government realized as a result of the false claim, in addition to civil penalties of between $5,000 and $10,000 for each violation.
What’s even worse for the offending entity is that the whistleblower is eligible to share in the spoils, to the tune of 15% to 25% or even 30% of the proceeds.
In fact, two recent cases demonstrate the Government’s willingness to prosecute businesses who lied about their cyber security measures.
FCA Cases and NIST Violations
United States, et. al., ex. rel. James Glenn v. Cisco Systems, Inc
This case began in late October 2008. James Glenn, then an IT employee at Cisco Systems, a leading US tech and communications that also happened to have government contracts, reported to his employer that their new Video Surveillance Manager Software (VSM) – software that was being sold to government agencies at every level – had significant cyber security flaws; specifically that the software could easily be exploited by hackers, giving them the ability to control the networks at an administrative level.
This meant that even bad actors, with mediocre abilities, no less, could gain access to such sensitive information as usernames and passwords and any information stored on the systems. They could also easily gain access to and have full control over video feeds, meaning that they could delete and even modify video.
One would think that Cisco would want to fix this flaw as soon as possible, but instead, the warning fell on seemingly deaf ears.
But Glenn didn’t give up. In fact, between October 2008 and March 3, 2009, Glenn sent multiple warnings. Instead of being thanked for his competence and due diligence, he was terminated on March 9 of that year, less than a week after his last notice.
This didn’t stop Glenn, though. In fact, instead of rolling over, he reported the lack of action to the FBI and then filed an FCA qui tam complaint in May 2011.
Eight years later, on July 31, 2019, Cisco resolved the dispute for a total of $8.6 million. This is the first FCA case that was ruled on in regards to a company failing to comply with NIST cyber security standards, and it set a precedent.
United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., and Aerojet Rocketdyne, Inc
The next big case to come out of a contractor failing to abide by the cyber security standards set by the US government for its contractors began when Aerojet Rocketdyne Holdings, a federal contractor for missile defense and rocket engine technology, lied about its compliance… and attempted to make their Senior Director of Cyber Security, Compliance and Controls, Brian Markus, cosign on their deception.
Instead of going along with the misrepresentations, he filed an FCA against them.
And this is where Aerojet tried to get creative.
You see, the government decided not to intervene, which Aerojet took to mean that what they did (or, didn’t do) was perfectly acceptable. So they filed a motion to dismiss the case, based on the fact the government was aware that they weren’t compliant, saying that the noncompliance was immaterial.
The court was having none of that, though. Because while Aerojet DID disclose SOME of their noncompliance, they were not completely honest. It makes sense, too, because what would be the reason to disclose SOME but not ALL of their oversights? Because they knew that what they didn’t disclose could have lost them the contract.
Needless to say, Aerojet lost their case.
What These Cases Mean for You
The results of these cases signal that the government means business. This is also displayed by the fact that the CMMC model has been created. The lack of cybersecurity in the US, in general, and in federal contractors, more specifically, has had a massive negative impact on the US government, and they are no longer going to sit by and allow the noncompliance to occur.
As we have mentioned, you will no longer even be eligible for government contracts unless you pass the CMMC audit. But in the meantime, if you are found to be out of compliance, you will likely be forced to pay back, at least partially, the funds paid to you by the government, as well as additional penalties and fees…
Fortunately, PTG has a FREE CMMC/NIST self-assessment. We strongly urge you to fill it out, especially if you have (or want) a contract with the Department of Defense!
Compliance is truly your best option.