My name is Leslie Weinstein, and I am a rising third-year, part-time law school student at the University of Baltimore School of Law. I am also a full-time professional with more than 18 years of experience in cyber, intelligence, and policy analysis across the federal government.
This blog is the second in a series focused on the Department of Justice’s Civil Cyber Fraud Initiative and its relationship with the False Claims Act. Through this blog series, I look forward to sharing insights from my professional journey and the impactful work being done at Bracker and Marcus.
| Read part one here: Inside the DOJ’s Civil Cyber-Fraud Initiative |
Civil Cyber-Fraud Initiative and the False Claims Act
As a quick recap, leveraging the False Claims Act (FCA), the Department of Justice’s Civil Cyber-Fraud Initiative seeks to identify, pursue and deter cyber vulnerabilities and incidents that arise when companies fail to meet federal cybersecurity requirements stipulated in their contracts or grants.
| Government contractors can violate the FCA by failing to adhere to cybersecurity terms, misrepresenting security controls and practices, or failing to report suspected breaches in a timely manner. |
Through this initiative, the government seeks to ensure robust cybersecurity measures are in place to protect vital federal information and systems. The Department of Defense (DoD) implements cybersecurity requirements for their contractors and subcontractors through contract clauses.
Defense Federal Acquisition Regulation Supplement (DFARS)
The Code of Federal Regulations (CFR) Title 48 governs the federal acquisition process by which agencies procure goods and services. Chapter 2, the Defense Acquisition Regulation System (DFARS), specifies rules for the Department of Defense (DoD) procurement. Companies entering DoD contracts must adhere to DFARS, and prime contractors must pass down relevant FAR and DFARS clauses to their subcontractors, who must do the same with their suppliers.
Prime contractors are responsible for subcontractor compliance, and non-compliance can lead to penalties, including contract termination. Subcontractors must strictly follow DFARS clauses to avoid DoD enforcement actions, which often involve broader regulatory frameworks like the FCA.
FAR and DFARS Cybersecurity Requirements
There are several FAR and DFARS clauses that establish cybersecurity requirements for Defense contractors and subcontractors.
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
This clause addresses cybersecurity protections for contractor information systems that handle Federal Contract Information (FCI).
DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
This clause mandates compliance with NIST SP 800-171 controls for protecting controlled unclassified information (CUI) and reporting cyber incidents.
- DFARS 252.204-7012, Paragraph (b)(2)(ii)(D) additionally requires contractors that use an external cloud service provider (CSP) to process CUI to ensure that the CSP implements FedRAMP Moderate baseline controls, and complies with additional DFARS 252.204-7012 requirements involving cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
DFARS 252.204-7019 – Notice of NIST SP 800-171 DOD Assessment Requirements
This clause requires contractors to submit their NIST SP 800-171 self-assessment scores in the Supplier Performance Risk System (SPRS).
DFARS 252.204-7020 – NIST SP 800-171 DOD Assessment Requirements
This clause applies when contract performance involves CUI and requires contractors to undergo a DOD assessment of their implementation of NIST SP 800-171 controls.
DFARS 252.204-7021 – Cybersecurity Maturity Model Certification (CMMC) Requirement
This clause has not yet been published as a final rule, but once the rule is finalized, it will mandate that contractors and subcontractors achieve a CMMC certification at the appropriate level which depends on the category of government data the contractor handles.
Work with a trusted name in Qui Tam, False Claims Act, and whistleblower law
The FCA includes provisions specifically aimed at protecting whistleblowers from retaliation by their employers. If you suspect that your employer may be violating Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements, it’s crucial to take action to protect your rights and the integrity of our nation’s security infrastructure. Don’t stay silent—your vigilance could make a significant difference.
Contact Bracker & Marcus LLC for a confidential, no-cost consultation to discuss your concerns and explore your options.