09 Nov 2020

Penalties: Case Studies

(An Excerpt from Craig’s newest book: “Ultimate Guide to CMMC: How to Access Millions in Government Contracts”)

As we have established, it is clear that the “self-reporting” and “honor system” for government contractors who are required to abide by NIST 800-171 to gain government contracts is NOT working.

But just because everyone else is doing it means that you can, too, right?

I mean, technically you can, but not without potential repercussions.

While you run the risk of breach of contract for lying to the government, you are also subject to the False Claims Act (FCA), which allows the government to impose both civil and criminal suits on any entity that lies to the government in order to get paid per 31 U.S.C. § 3729(a)(1)(A) & (B).  This clause has proven to be very effective because they allow for any private citizen (called a “realtor”) to essentially whistleblow any company that is untruthful to the US government, in what is called a “qui tam” civil lawsuit.  And the penalties are no joke…

Any business found to be in violation of the FCA faces penalties of up to three times the amount of “real damages” the Government realized as a result of the false claim, in addition to civil penalties of between $5,000 and $10,000 for each violation.

What’s even worse for the offending entity is that the whistleblower is eligible to share in the spoils, to the tune of 15% to 25% or even 30% of the proceeds.

In fact, two recent cases demonstrate the Government’s willingness to prosecute businesses who lied about their cyber security measures.

FCA Cases and NIST Violations

United States, et. al., ex. rel. James Glenn v. Cisco Systems, Inc

This case began in late October 2008.  James Glenn, then an IT employee at Cisco Systems, a leading US tech and communications that also happened to have government contracts, reported to his employer that their new Video Surveillance Manager Software (VSM) – software that was being sold to government agencies at every level –  had significant cyber security flaws; specifically that the software could easily be exploited by hackers, giving them the ability to control the networks at an administrative level.  

This meant that even bad actors, with mediocre abilities, no less, could gain access to such sensitive information as usernames and passwords and any information stored on the systems.  They could also easily gain access to and have full control over video feeds, meaning that they could delete and even modify video.

One would think that Cisco would want to fix this flaw as soon as possible, but instead, the warning fell on seemingly deaf ears.

But Glenn didn’t give up.  In fact, between October 2008 and March 3, 2009, Glenn sent multiple warnings.  Instead of being thanked for his competence and due diligence, he was terminated on March 9 of that year, less than a week after his last notice.

This didn’t stop Glenn, though.  In fact, instead of rolling over, he reported the lack of action to the FBI and then filed an FCA qui tam complaint in May 2011.

Eight years later, on July 31, 2019, Cisco resolved the dispute for a total of $8.6 million.  This is the first FCA case that was ruled on in regards to a company failing to comply with NIST cyber security standards, and it set a precedent.

United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., and Aerojet Rocketdyne, Inc

The next big case to come out of a contractor failing to abide by the cyber security standards set by the US government for its contractors began when Aerojet Rocketdyne Holdings, a federal contractor for missile defense and rocket engine technology, lied about its compliance… and attempted to make their Senior Director of Cyber Security, Compliance and Controls, Brian Markus, cosign on their deception. 

Instead of going along with the misrepresentations, he filed an FCA against them.

And this is where Aerojet tried to get creative.

You see, the government decided not to intervene, which Aerojet took to mean that what they did (or, didn’t do) was perfectly acceptable.  So they filed a motion to dismiss the case, based on the fact the government was aware that they weren’t compliant, saying that the noncompliance was immaterial.

The court was having none of that, though.  Because while Aerojet DID disclose SOME of their noncompliance, they were not completely honest.  It makes sense, too, because what would be the reason to disclose SOME but not ALL of their oversights?  Because they knew that what they didn’t disclose could have lost them the contract.

Needless to say, Aerojet lost their case.

What These Cases Mean for You

The results of these cases signal that the government means business.  This is also displayed by the fact that the CMMC model has been created.  The lack of cybersecurity in the US, in general, and in federal contractors, more specifically, has had a massive negative impact on the US government, and they are no longer going to sit by and allow the noncompliance to occur.

As we have mentioned, you will no longer even be eligible for government contracts unless you pass the CMMC audit.  But in the meantime, if you are found to be out of compliance, you will likely be forced to pay back, at least partially, the funds paid to you by the government, as well as additional penalties and fees…

Fortunately, PTG has a FREE CMMC/NIST self-assessment.  We strongly urge you to fill it out, especially if you have (or want) a contract with the Department of Defense!

Compliance is truly your best option.

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top