This blog is the first in a series of blogs about the Department of Justice’s Civil Cyber Fraud Initiative. Through this blog series, I look forward to sharing insights from my professional journey and the impactful work at Bracker and Marcus.
I am Leslie Weinstein, a rising third-year, part-time law school student at the University of Baltimore School of Law. I am also a full-time professional with over 18 years of experience in cyber, intelligence, and policy analysis across the federal government. I have served the U.S. government as a federal civilian and Soldier. I’ve also supported the government as a government contractor and as a cybersecurity consultant for contractors. I am an extern with Bracker and Marcus LLC, and I am thrilled to contribute to the firm’s library of resources as a guest blogger.
I sought out an externship with Julie Bracker specifically to deepen my understanding of the False Claims Act (FCA) and to contribute to the firm’s mission of championing justice and integrity.
False Claims Act (FCA)
The Department of Justice’s (DOJ’s) Civil Cyber-Fraud Initiative leverages the False Claims Act (FCA) to hold federal contractors accountable when they knowingly jeopardize sensitive government information and critical government information systems.
The False Claims Act, codified at 31 U.S.C. §§ 3729-3733, was enacted by Congress in 1863 in response to widespread fraud by defense contractors during the American Civil War. The FCA imposes penalties and triple damages on those who knowingly submit false claims for payment or who fail to remit money owed to the United States. Since 1986, this powerful statute has enabled the government to recover over $75 billion in taxpayer funds.
The qui tam provision
A particularly compelling feature of the FCA is its citizen suit provision. This allows private individuals, known as relators, to file civil lawsuits, called qui tam actions, against entities that violate the FCA. Qui tam actions constitute a significant portion of FCA cases each year. Successful relators are typically awarded between 15% and 30% of the government’s recovery. In the past 15 years, annual recoveries under the FCA have exceeded $2 billion. Notably, fiscal year 2023 marked a record year, with over $2.7 billion recovered through 543 settlements and judgments. Additionally, in 2023, the DOJ initiated investigations into more than 700 new qui tam lawsuits, the third-highest annual total to date.
Civil Cyber-Fraud Initiative
In 2021, the DOJ announced that cybersecurity is one of its top enforcement priorities for its FCA practice. Historically, the FCA has targeted contractors who provide substandard products or overcharge the government. The DOJ’s Civil Cyber-Fraud Initiative seeks to identify, pursue, and deter cyber vulnerabilities and incidents that arise when companies fail to meet federal cybersecurity requirements stipulated in their contracts or grants. Government contractors can violate the FCA by failing to adhere to cybersecurity terms, misrepresenting security controls and practices, or failing to report suspected breaches promptly. Through this initiative, the government seeks to ensure robust cybersecurity measures are in place to protect vital federal information and systems.
Since launching the Civil Cyber-Fraud Initiative, the DOJ has experienced a significant increase in agency referrals to DOJ, qui tam filings, and industry self-disclosures. Some of the most common recurring issues identified in these referrals, filings, and disclosures related to IT services provided to the government and a failure to report cyber incidents. Additionally, the DOJ has settled five cyber-related FCA cases and unsealed two more qui tam actions, coincidentally against defense contractors.
Cyber regulations
Cybersecurity requirements for federal contractors and grant recipients are generally imposed through contract clauses. Clauses in the contract point to specific sections of the Federal Acquisition Regulation (FAR) and/or additional agency-specific acquisition regulations, such as the Defense Federal Acquisition Supplement (DFARS). Cybersecurity standards for protecting controlled unclassified information (CUI) are largely based on agency-specific policies and regulations. CUI includes things like privacy data and critical infrastructure security information.
While there is not a common cybersecurity requirement for protecting CUI across the federal government, all contractors who handle federal contract information (FCI) must protect the FCI in accordance with FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, 48 CFR § 52.204-21. FCI is any information not intended for public release that is produced for, or by, the government under a contract.
Executive Order 14028
Agency-specific policies have resulted in inconsistent security requirements across contracts, confusion, and added costs. To address these issues, Executive Order 14028, Improving the Nation’s Cybersecurity, directs the Department of Homeland Security (DHS) to review agency-specific cybersecurity requirements that currently exist and recommend standardized contract language for appropriate cybersecurity requirements. As of June 2024, no standardized contract language has been proposed.
FedRAMP Authorization Act
FedRAMP is a government-wide program that enables secure cloud adoption across the federal government by establishing a standardized approach to cloud security and security assurance. All cloud-based products and service providers are required to obtain FedRAMP authority to operate (ATO) before their products or services may be procured by the government.
The FedRAMP Authorization Act was signed in 2022 as part of the FY23 National Defense Authorization Act (NDAA) and codifies the FedRAMP program as the authoritative process for authorizing cloud-based products to handle unclassified federal information (FCI and CUI).
Take action now to protect your rights
The FCA includes provisions specifically aimed at protecting whistleblowers from retaliation by their employers. If you suspect that your employer may be violating Federal Acquisition Regulation (FAR) cybersecurity requirements, it’s crucial to take action to protect your rights and the integrity of our nation’s security infrastructure.
Don’t stay silent—your vigilance could make a significant difference. Contact Bracker & Marcus LLC for a confidential consultation to discuss your concerns and explore your options.