The U.S. Department of Justice continues an increasingly aggressive approach to enforcing cybersecurity requirements applicable to federal contractors and subcontractors, as we previously highlighted in a November client alert. On December 10, DOJ announced a new criminal fraud indictment against an individual based on alleged misrepresentations regarding compliance with government information security requirements.

The indictment charges that the defendant, a senior manager at a government contractor that provides cloud computing services to federal agencies, defrauded the government and obstructed government audits. She is alleged to have done so by making knowing misrepresentations about the company’s cloud-based platform in order to win contracts and subcontracts for her company that required a higher level of security than that which she knew her company’s platform was capable of providing. Several agencies relied on these misrepresentations in making decisions about awards that were collectively valued in the hundreds of millions of dollars.

More specifically, the allegations center on her submission of materially false or misleading information to auditors and authorizing officials for the purpose of hiding failures to implement required Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense’s Risk Management Framework (RMF) security controls, as well as disregard of internal and third-party warnings regarding noncompliance.  

The indictment is significant for several reasons. First, it underscores DOJ’s continued view that compliance with federal cybersecurity requirements are of the utmost importance to government decision-makers. Second, it serves as a reminder to federal contractors and their employees of the DOJ’s willingness to pursue not only corporate civil liability under the False Claims Act, but also criminal liability (and corresponding prison sentences) against those involved in cybersecurity compliance under government contracts. Finally, it serves as yet another warning to federal contractors and subcontractors of the importance of carefully monitoring the accuracy of representations to the government. Misrepresentations made by those with actual or apparent authority may be imputed to the company.  

Contractor Takeaways

Together with recent civil settlements (as highlighted in our previous alert), this indictment sends an important reminder to government contractors and subcontractors: 

• Companies handling government information must ensure that cybersecurity controls are fully implemented, accurately documented, and truthfully represented to the government. 
   
• Contractors and subcontractors can help avoid problems with the government by, among other steps:
   
  • Maintaining robust internal controls.
     
  • Providing appropriate escalation mechanisms for identifying and challenging questionable statements to the government by employees.
     
  • Instituting tracking and verification processes to maintain oversight, accuracy, and consistency of statements made on the company’s behalf. 

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.