Skip to main content
Top Button
Ice Miller Cybersecurity Law Snapshot: Cybersecurity-Related FCA Case, Small Business Cybersecurity Ice Miller Cybersecurity Law Snapshot: Cybersecurity-Related FCA Case, Small Business Cybersecurity

Ice Miller Cybersecurity Law Snapshot: Cybersecurity-Related FCA Case, Small Business Cybersecurity Bill & NDAA’s Nod to Voluntary Incident Reporting

Trial in First Cybersecurity-Related False Claims Act Case Suggests Non-Compliance Disclosures Must Be Robust

Defense Federal Acquisition Regulations Supplement (DFARS) cybersecurity requirements may be material to the Department of Defense’s (DoD) decision to award contracts, based on a recent court ruling. [1] A California federal court issued an order on February 1, 2022, holding that a jury should decide whether defense contractor Aerojet Rocketdyne, Inc. knowingly misrepresented its compliance with the “adequate security” requirements in a prior version of DFARS 252.204-7012 in violation of the False Claims Act (FCA). Although Aerojet argued that it disclosed non-compliance with DFARS to the DoD, the court leaned in favor of an argument that the disclosures were not as complete as they could have been, and found that that was a dispute for a jury to decide:
Because of the dispute as to whether [Aerojet] fully disclosed its noncompliance, a reasonable trier of fact could find that the government might not have contracted with [Aerojet], or might have contracted at a different value, had it known what relator argues [Aerojet] should have told the government.

The court sided with Aerojet in agreeing to drop 11 of Aerojet’s 18 defense contracts that the relator-claimant raised in his lawsuit because the DoD awarded them after the lawsuit began or omitted the DFARS adequate security requirement. This case has not only captured the defense industry’s attention, but also that of the Department of Justice (DOJ). Even though the government declined to intervene in this case, the DOJ announced its intent to use the FCA to enforce cybersecurity requirements (as we wrote about last October). The DOJ also filed a Statement of Interest in the Aerojet case even though it did not choose to bring the case. 

House Re-Introduces Bill to Improve Cybersecurity of Small Organizations

Many federal cybersecurity regulations, such as CMMCv.1, fall short of considering safeguarding measures proportional to the resources available to small businesses, nonprofits, and local governments. On January 31, 2022, Representatives Anna G. Eshoo (D-CA) and William Timmons (R-SC) re-introduced the Improving Cybersecurity of Small Businesses, Nonprofits, and Local Governments Act. This bipartisan bill aims to do the following:

  • direct the Cybersecurity and Infrastructure Security Agency (CISA) to issue guidance that documents and promotes evidence-based cybersecurity policies and controls for small organizations (i.e., small businesses, nonprofits, and local governments);
  • require CISA, the Small Business Administration (SBA), and the Minority Business Development Agency to promote the cybersecurity guidance;
  • require the Secretary of Commerce to submit to Congress a report describing methods to incentivize small organizations to improve their cybersecurity; and
  • require the SBA to report on the state of small business cybersecurity every two years.

Taken together with DoD’s move to simplify CMMC 2.0 (as we discussed in November 2021), the proposed legislation suggests that industry’s comments against one-size-fits-all cybersecurity requirements are having some effects.

National Defense Authorization Act (NDAA) for 2022 Maintains Voluntary Collaboration

After a year in which we witnessed massive breaches like SolarWinds and Colonial Pipeline, Congress passed the NDAA for 2022 without including any mandatory incident response requirements for the private sector. The NDAA, which Congress uses annually to address policy, technology, and acquisitions issues for the DoD and beyond, creates numerous cybersecurity-related requirements and initiatives. For example, Section 1546 sets forth a requirement for CISA to biennially update an incident response plan and to consult with sector-specific agencies and the private sector in establishing an exercise program to assess its effectiveness. Similarly, Section 1548 establishes the so-called “CyberSentry” program within CISA, authorizing CISA to enter into strategic partnerships with critical infrastructure owners and operators to provide them with continuous monitoring and detection of cybersecurity risks to their industrial control systems and supporting information systems. Neither section, however, imposes any new mandatory reporting requirements on the private-sector incident reporting. Instead, Congress appears to maintain the voluntary-based collaboration approach with many critical infrastructure owners in the private sector.

Connect with Ice Miller Cybersecurity Attorneys

Ice Miller has extensive experience assisting companies to navigate and comply with federal cybersecurity laws and regulations, as well as taking advantage of cybersecurity-related procurement opportunities. Our team includes Guillermo Christensen, managing partner of the firm’s Washington D.C. office and former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State; Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on federal procurement cybersecurity laws and regulations; Angad Chopra, a Certified Privacy Professional and associate in Ice Miller’s Data Security and Privacy Group; and Dakota Coates, an associate in Ice Miller’s Litigation Group.

[1] U.S. ex rel. Markus v. Aerojet RocketDyne Holdings Inc., et al., No. 2:15-cv-02245, ECF No. 155 (E.D. Ca. Fed. 1, 2022). 

This publication is intended for general informational purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstance.

View Full Site View Mobile Optimized