Last Updated on January 25, 2023
Organizations in the US defense industrial base (DIB) need to protect Controlled Unclassified Information (CUI) per the requirements in their contracts. Failure to do so can lead to a range of sanctions depending on the specifics of the violation(s).
What are the issues DIB orgs need to be aware of? And how can you avoid sanctions and associated business risk, including loss of your government contract?
To share legal best practices for SMBs in the defense supply chain, a recent episode of The Virtual CISO Podcast features Stephanie Siegmann, Partner and Chair, International Trade and Global Security Group and Cybersecurity, Data Protection, and Privacy Group at Hinckley Allen. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
What not to do
CUI infractions subject to sanctions come in two classes:
- Failure to promptly report data breaches or other incidents where CUI falls into the wrong hands or is exposed and vulnerable to improper disclosure
- Misrepresenting through intent or ineptitude your security posture/controls as compliant with your contract when, in fact, they are not
Cases in the first category could put you in a courtroom facing civil or criminal charges from any of several US government agencies, including the Department of State, the Department of Commerce, and the Department of Treasury.
Cases in the second category are prosecuted by the Department of Justice (DoJ) under the False Claims Act.
Aerojet Rocketdyne’s story
To illustrate how the US government both threatens and incentivizes DIB orgs to maintain regulatory compliance, Stephanie touches on the Aerojet Rocketdyne case, where a former employee turned whistleblower brought suit on behalf of the US government. A settlement was reached after just two days, in which the company agreed to pay $9 million to resolve the allegations that it violated the False Claims Act by misrepresenting its compliance with contractual cybersecurity requirements. The whistleblower netted $2.61 million as his share of the recovery.
“Those issues are really front-and-center and top of mind for DoJ,” Stephanie relates. “When they announced their Civil Cyber Fraud Initiative in 2021, their priority is to go after entities that are not taking cybersecurity seriously and not reporting breaches.”
Stephanie continues: “The Deputy Attorney General (DAG) has indicated how important individual accountability is going forward. An individual should expect that if there were export violations that jeopardize national security and a company did not report them, and they’re investigated, they’re going to be very seriously pursued and I imagine indictments would be brought.”
Don’t commit cyber fraud
Stephanie underscores that the focus of the Civil Cyber Fraud Initiative is cyber fraud, specifically non-compliance with the cybersecurity provisions in government contracts. The False Claims Act is the law used to prosecute fraudulent claims made to the USG around contract compliance, such as knowingly misrepresenting your NIST 800-171 compliance score.
Meanwhile, failure to report cyber incidents involving CUI could constitute an “export violation” that comes with a potential 20-year felony sentence if you knowingly fail to disclose it promptly to the USG or your prime contractor.
To catch this podcast episode with cyber lawyer Stephanie Siegmann in its entirety, click here.
Are you in compliance with the cybersecurity requirements in your DoD contract? If not, you better move fast: DIB Orgs: Time is Almost Up for DFARS and NIST 800-171 Compliance