Cybersecurity for DoD Contract Information: Navigating Regulations and Risks

Cybersecurity has become a critical concern for organizations working with the Department of Defense (DoD). The stakes are particularly high for contractors managing sensitive defense information, as non-compliance with regulations can lead to lost contracts, lawsuits, and extensive financial penalties. This article explores the key regulations influencing cybersecurity practices, the recent crackdown by the Department of Justice (DOJ), and the increasing role of whistleblowers in maintaining compliance within the industry. 

Understanding Key Regulations: DFARS and NIST SP 800-171 

The Defense Federal Acquisition Regulation Supplement (DFARS) requires contractors to adhere to stringent cybersecurity standards, notably outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). Any contractor handling Controlled Unclassified Information (CUI) must fully implement these standards to safeguard sensitive defense data. 

Failing to meet these requirements can have severe consequences, as illustrated by ongoing legal actions against organizations like Georgia Tech and Penn State. In both instances, the DOJ has stepped in to investigate claims of inadequate cybersecurity measures, highlighting the critical nature of compliance in contract security.  

DOJ Crackdown on Cybersecurity: The Civil Cyber-Fraud Initiative 

In October 2021, Deputy Attorney General Lisa O. Monaco launched the Civil Cyber-Fraud Initiative to tackle weaknesses in cybersecurity among government contractors. This initiative uses the False Claims Act (FCA) to hold contractors accountable for misrepresentations about their cybersecurity practices. Monaco emphasized that “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to report it.” The initiative calls for increased transparency and accountability in cybersecurity protocols. 

Georgia Tech Case 

One notable example of this initiative is the lawsuit against Georgia Tech. The DOJ has joined a whistleblower suit claiming that Georgia Tech and its affiliate failed to implement adequate cybersecurity controls required for Department of Defense (DoD) contracts. The complaint reveals that until February 2020, Georgia Tech's Astrolavos Lab did not have a system security plan to address necessary cybersecurity measures. Even after establishing a plan, it reportedly did not sufficiently protect all required devices. This case is a strong reminder that neglecting cybersecurity obligations can result in significant reputational harm and financial penalties. 

The allegations against Georgia Tech underline the serious risks organizations face when they do not follow established cybersecurity protocols. As U.S. Attorney Ryan K. Buchanan pointed out, "Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors." This not only emphasizes the need for compliance but also sets an important precedent for accountability among contractors. 

Penn State Case 

Similarly, the ongoing investigation into Penn State highlights growing concerns about non-compliance with cybersecurity measures. Allegations have emerged that the university submitted false certifications regarding its adherence to DFARS and NIST guidelines. This case reflects the DOJ's increasing vigilance in enforcing cybersecurity compliance and serves as a warning for contractors who might underestimate the risks of non-compliance. 

The scrutiny of Penn State’s cybersecurity practices clearly signals that the DOJ is committed to maintaining compliance across various organizations. The investigation is active, reiterating the necessity for all entities handling sensitive information to uphold rigorous cybersecurity standards. 

Importance of Robust Cybersecurity Measures for Government Contracts 

These cases serve as a wake-up call for organizations handling sensitive information. Non-compliance with cybersecurity standards can lead to substantial fines, loss of contracts, and reputational damage. If your organization works with government contracts, implementing robust cybersecurity measures is not just a good practice—it's essential. By prioritizing compliance, you protect your reputation and financial standing while contributing to the overall security of vital systems. 

The Whistleblower Factor: A Double-Edged Sword 

The Georgia Tech and Penn State cases highlight whistleblowers’ critical role in exposing non-compliance among contracting firms. Recent allegations from current and former Georgia Tech cybersecurity personnel reveal a troubling history of negligence in adhering to required protocols, putting taxpayer dollars and national security at risk. 

Whistleblowers benefit from the protections of the False Claims Act, which allows them to report fraudulent conduct while potentially sharing in any financial recovery from successful lawsuits. However, while this framework promotes accountability, it can also threaten organizational integrity.  

Organizations must prioritize fostering a culture of compliance and transparency so employees feel safe to report vulnerabilities without fear of retaliation. Proactively addressing compliance issues is essential; if not, whistleblower allegations can escalate quickly, undermining trust and jeopardizing future business opportunities. In an environment where contract integrity is paramount, organizations must recognize that neglecting cybersecurity standards can have severe ramifications, driven in part by the willingness of employees to speak out. 

The Consequences of Non-Compliance 

The cases against Georgia Tech and Penn State highlight the remarkable risks associated with non-compliance. With the DOJ's Civil Cyber-Fraud Initiative yielding record recoveries under the FCA—over $2.6 billion in 2023 alone—contractors must recognize that neglecting cybersecurity measures can be deleterious not just in financial terms but also in terms of their eligibility to bid on future contracts (U.S. Department of Justice, February 22, 2024). 

Moreover, consulting firms like Guidehouse Inc. highlight the reality that the consequences of failing to meet cybersecurity standards can extend far beyond legal settlements. When Guidehouse and a subcontractor failed to conduct necessary pre-production cybersecurity testing, sensitive information belonging to low-income New Yorkers was compromised, resulting in financial penalties and potential harm to the vulnerable population they served (U.S. Department of Justice, June 17, 2024). This underscores the broader implication that cybersecurity compliance is not merely a regulatory requirement, but an ethical obligation that directly impacts public trust. 

How EisnerAmper Can Help in Navigating Cybersecurity Regulations 

Navigating the complex landscape of cybersecurity regulations is crucial for maintaining and securing DoD contracts. Our firm offers specialized services to help organizations comply with DFARS and NIST SP 800-171 requirements. Additionally, we are CMMC certified, enabling us to assist organizations looking to bid on future contracts confidently. 

Our Services Include: 

• DoD Network Preparation for Bidding: Verify that your network infrastructure meets the necessary cybersecurity requirements before bidding on contracts.
• Annual Recertification: Support your organization in maintaining compliance through regular assessments and confirming certifications are up to date.
• DoD Assessments Preparation: Prepare your organization for formal assessments from the DoD to see that all cybersecurity measures are adequately addressed.
• Risk Assessments: Identify vulnerabilities in your cybersecurity posture and provide strategic recommendations for remediation. 

In conclusion, recent DOJ actions and high-profile lawsuits underscore the importance of stringent cybersecurity measures in the defense contracting sector. Organizations need to take compliance seriously or risk significant repercussions. By adopting robust cybersecurity practices and prioritizing compliance, you can safeguard your operations, preserve your reputation, and successfully manage your government contracts. Let us assist you in navigating these complex requirements and protect your business from the substantial risks of non-compliance. 

References: 

Arianina, K. (2023, October 5). Penn State Cybersecurity False Claims Act Case: U.S. Government Signals Active Investigation. Orrick. Penn State Cybersecurity False Claims Act Case: U.S. Government Signals Active Investigation (orrick.com) 
Office of Public Affairs. (2021, October 6). Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative. Office of Public Affairs. Office of Public Affairs | Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative | United States Department of Justice 
Office of Public Affairs. (2024, February 22). False Claims Act Settlements and Judgments Exceed $2.68 Billion in Fiscal Year 2023. Office of Public Affairs. Office of Public Affairs | False Claims Act Settlements and Judgments Exceed $2.68 Billion in Fiscal Year 2023 | United States Department of Justice 
Office of Public Affairs. (2024, June 17). Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract. Office of Public Affairs. Office of Public Affairs | Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract | United States Department of Justice 
Office of Public Affairs. (2024, August 22). United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations. Office of Public Affairs. Office of Public Affairs | United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations | United States Department of Justice 
Starks, T. (2024, August 22). DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts. Cyberscoop. DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts | CyberScoop 
Vinson & Elkins. (2024, June 3). DOJ’s Crackdown on Government Contractors/Defense Contractors: Best Practices for Responding to False Claims Act CIDs. Vinson & Elkins. DOJ’s Crackdown on Government Contractors/Defense Contractors: Best Practices for Responding to False Claims Act CIDs | Regulatory Roundup | Insights | Vinson & Elkins LLP (velaw.com)