2 Cybersecurity Government Contractor Laws You Need to Know
Due to increasing cyber threats against the government, contractors and subcontractors within the DIB supply chain are being held to higher security standards. CMMC Compliance with DoD requirements includes adhering to two lesser-known laws, which is why every CISO should be familiar with the Christian Doctrine and the False Claims Act (FCA). Violation of these laws, knowingly or otherwise, could put your business, contracts, and clients at risk.
False Claims Act: Honest Abe Calls for Honest Contractors
First passed in 1863 by the Lincoln Administration, the False Claims Act was a response to fraudulent contractors guilty of selling faulty provisions and munitions to the Union Army. To support this effort, they added a provision that states any "whistleblowers" will receive a designated portion of the money from the fines/penalties (if it's proven to be true).
The FCA sat dormant for well over a century after the end of the Civil War. In 1986 the government revived it in the face of widespread fraudulence amongst defense contractors. Between 1987 and 2018, the federal government recovered $62.1 billion in assets under the FCA. The first cybersecurity-related case came in 2019.
Companies within the Defense Industrial Base (DIB) are being held to higher standards when it comes to cybersecurity. FCA is being used by the government to pursue alleged noncompliance with cybersecurity regulations with those entering DoD contracts.
Previously, DIB contractors were able to self-assess and report their compliance. Under CMMC, third-party assessments are required. Any inconsistencies could result in penalties or loss of contracts. Third-party verification is the best way to avoid mistakes and guarantee compliance. If a person or business falsifies an assessment or any related information, they would be liable under the False Claims Act (FCA) aka the "Lincoln Law". There are fines up to three times the contract value and additional penalties under the FCA, and some companies have been forced to hand over millions of dollars as a result.
While the original intent of the FCA was protection against sick horses and second-rate muskets, the dawn of the digital age brought new meaning. Rocket and missile manufacturer Aerojet Rocketdyne learned the hard way that defrauding the federal government is never worth it. A whistleblower filed a claim that Aerojet “fraudulently entered into contracts with the federal government despite knowing that they did not meet the minimum [security] standards required to be awarded a government contract.” The case is a great example of the importance of compliance and accurate reporting to the federal government.
The Christian Doctrine: What Is It?
On the flipside, there is also liability for contractors who unknowingly omit a statute or regulation from their contract with the government. This is known as the Christian Doctrine.
The Christian Doctrine states that contracts with the U.S. government are not all-encompassing and may not reflect all the obligations and responsibilities of the contracting parties. Meaning, the contractor will still be held accountable for any omissions, intentional or otherwise.
From a legal perspective, under the Christian Doctrine, even if an organization does not have the CMMC requirement in their current contracts, if they are handling any of the covered data (FCI or CUI), they still have a legal obligation to comply. Just because a contractor did not explicitly say there is CUI or FCI in a contract- by signing the contract you are agreeing to the minimum requirements, like DFARS and CMMC, set forth by the DoD.
This law was enacted after a 1993 lawsuit against the federal government. G.L. Christian & Associates had a contract with the federal government, but it was terminated early. The company brought a case against them, suing for lost future profit that was promised in the contract. The federal government cited the termination for convenience clause, which relieves the government of any liability of anticipated profit from unperformed work. This statute is standard across the DIB but the clause wasn’t included in the contract with G.L. As a result, the government signed the Christian Doctrine into law. It states that any clause considered “a deeply ingrained strand of public procurement policy” should be read into any contract as a matter of law.
To protect themselves, it is important for all contractors and sub-contractors to be thorough in their DoD contracts. By signing a contract with the federal government, contractors are attesting they meet requirements whether they are included in the contract or not.
Compliance gaps, intentional or not, could cost you money and/or contracts. It’s imperative for each contractor in the DIB supply chain to assess their framework for such gaps. ProArch provides CMMC consulting and solutions to government contractors that help you prepare for CMMC and meet CMMC requirements now and into the future.