In October 2021, the U.S. Department of Justice (DOJ) took a monumental step toward curbing cybersecurity fraud among government contractors and grant recipients: The Civil Cyber-Fraud Initiative.
By leveraging the False Claims Act (FCA), the Initiative prosecutes government contractors, subcontractors, and grant recipients who knowingly fail to comply with federal cybersecurity mandates such as DFARS 7019 and 7020. Since its inception, the False Claims Act has recovered over $75 billion in damages, and recent settlements have cost companies as much as $172 million (DOJ, 2024).
In this article, we’ll break down everything you need to know about the FCA and the Civil Cyber-Fraud Initiative, including who’s at risk, the penalties of non-compliance, recent cases, and ways to stay protected.
What is the Civil Cyber-Fraud Initiative?
The Civil Cyber-Fraud Initiative, led by the Fraud Section of the DOJ, utilizes the False Claims Act to crack down on companies who fail to meet and/or misrepresent their cybersecurity practices to win a federal contract or grant.
The Initiative targets three main categories of misconduct:
- Noncompliance with cybersecurity standards: This involves knowingly failing to comply with the cybersecurity standards required for a government contract, such as improperly handling CUI under NIST SP 800-171.
- Misrepresentation of security controls and practices: This involves knowingly misrepresenting security practices to secure a government contract, such as providing a false SPRS score or falsifying details in your System Security Plan.
- Failure to timely report suspected breaches: This involves knowingly failing to report suspected breaches or incidents in a prompt manner as defined in your contract.
What is the False Claims Act?
The False Claims Act, originally established in 1863 to prevent fraud by defense contractors during the Civil War, is what gives the Civil Cyber-Fraud Initiative its legal power.
The act provides that any person who knowingly submits false claims to the government is “liable for three times the government’s damages plus a penalty that is linked to inflation” (DOJ, 2023).
The FCA’s Qui Tam provision encourages whistleblowers, allowing individuals to report fraud on behalf of the US government in exchange for up to 30% of the recovered funds as well as protection against retaliation (DOJ, 2024). This puts companies at a significantly heightened risk of being exposed for misconduct — in 2023 alone, whistleblowers accounted for over $2.3 billion of settlements (DOJ, 2024).
In effect, your organization is one whistleblower away from a False Claims Act action.
What Are the Penalties for Violating the Civil Cyber-Fraud Initiative?
As of February 12, 2024, the penalties for making a false claim to the US Government range from $13,946 to $27,894 per violation, and it isn’t uncommon for an organization to face hundreds — or even thousands — of violations in a single DOJ action (DOJ, 2024). Recent settlements under the Civil Cyber-Fraud Initiative have ranged anywhere from $290,000+ to $900+ million.
The Civil Cyber-Fraud Initiative and False Claims Act In Action
Recent major settlements related to the Civil Cyber-Fraud Initiative include:
Guidehouse Inc. and Nan McKay (Financial settlement: $11.3 million)
In June 2024, consulting firms Guidehouse Inc. and Nan Mckay agreed to pay $7.6 million and $3.7 million respectively to settle allegations that they failed to conduct contractually required pre-production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology. (DOJ, 2024).
Insight Global LLC (Financial settlement: $2.7 million)
In May 2024, Insight Global LLC, an international staffing company with contracts with the Pennsylvania Department of Health, agreed to pay $2.7 million to settle allegations that it failed to keep health information obtained during COVID-19 contract tracing confidential and secure (DOJ, 2024).
Georgia Tech (Financial settlement: to be determined)
In February 2024, The DOJ unsealed a complaint against the Georgia Tech Research Corporation and the Georgia Institute of Technology alleging that they failed to comply with NIST 800-171 cybersecurity controls in their contracts with the DoD (The National Law Review, 2024).
Jelly Bean Communications Design (Financial settlement: $293,771)
In March 2023, Jelly Bean Communications Design, a graphic design firm, agreed to pay $293,771 to settle allegations that it failed to provide and maintain secure hosting for HealthyKids.org, a federally funded website that handles children’s health insurance information (DOJ, 2023).
Verizon Business Network Services (Financial settlement: $4,091,317)
In September 2023, Verizon Business Network Services agreed to pay $4,091,317 to settle allegations that it failed to comply with several controls under the Trusted Internet Connections initiative, a requirement for its General Services Administration contracts (DOJ, 2023).
Comprehensive Health Services (Financial settlement: $930,000)
In March 2022, Comprehensive Health Services, a medical provider with contracts with the State Department and Air Force, agreed to pay $930,000 to settle allegations that it falsified security information regarding the handling of medical data in its facilities in Iraq and Afghanistan (DOJ, 2022).
Aerojet Rocketdyne (Financial settlement: $9 million)
In July 2022, Aerojet Rocketdyne, a provider of propulsion and power systems, agreed to pay $9 million to settle allegations that it misrepresented its compliance with cybersecurity requirements in several government contracts (DOJ, 2022).
What Does This Mean for You?
The DOJ has made it clear that there are “no more free passes” when it comes to cybersecurity (Cyber AB). Any organization failing to meet its required federal security standards is just one allegation away from potentially crippling fines and loss of contracts.
The best way to avoid FCA violations is to thoroughly understand your required cybersecurity frameworks, stay on top of documentation, practice strict cybersecurity hygiene, and — of course — never fake security practices or controls.
Achieve & Maintain Compliance with SP6
Given the breadth and complexity of federal compliance standards like NIST SP 800-171 and NIST SP 800-53, the possibility of unintentionally missing a requirement — and subsequently winding up with an FCA violation — is very real.
Registered Provider Organizations like SP6 can give you the extra layer of protection you need against unintentionally violating the FCA. With 15+ years of experience helping companies understand complex requirements such as DFARS / CMMC / ITAR, SP6’s Certified CMMC Professionals and Assessors help simplify the compliance process.
Start a conversation with us today to learn how our certified compliance experts and automated evidence-collection software can transform your approach to DFARS / CMMC compliance.