The hidden cybersecurity risk for federal contractors

Shutterstock image. Copyright  enzozo.

After a rough year of cyberattacks and data breaches, the federal government is getting serious about protecting its sensitive information when in the hands of its contractors. As a result, contractors are being sent to the front lines of the fight.

Already, the Defense Department has imposed requirements to protect ""unclassified controlled technical information"," and it recently expanded these obligations via interim rules with immediate effect. The National Archives and Records Administration is about to complete its new regulation to better protect sensitive but unclassified federal information. The National Institute of Standards and Technology has issued new cyber protection standards intended for commercial companies. And the General Services Administration stands poised to issue new rules for schedule holders.

We are going to see new cyber protection requirements in many solicitations and contract modifications. And an unwary contractor might become a casualty when it certifies compliance, even implicitly, with "all IT security standards." For example, the second draft request for proposals for GSA's Alliant 2 subjects contractors to "all ordering activity IT security standards … and government wide laws or regulation applicable to the protection of government wide information security." How can a contractor certify before it knows what "sensitive data and information" will be part of the performance of a task order? Or even what all the standards will be? Yet if a contractor does not certify or impliedly certify, it may lose the chance to compete for award.

Agreement to the condition of providing cyber security that meets all the standards of any "sensitive data and information" could subject a contractor to risks under the False Claims Act. It could be almost reckless for a firm to agree to this without knowing even what data must be protected and to what standards. Prudent companies should not enter into contracts that incorporate lists of cyber obligations unless they understand the requirements and believe they can comply. For after a cyber incident occurs, the contractor can be sure to expect extra scrutiny.

FCA violations result in civil penalties of up to $11,000 per violation, as well as treble damages. Here's how it would work. Suppose that a contractor makes a bid where the RFP contained multiple cyber security standards and requirements to protect the federal data it will receive. A contractor could be exposed under the FCA if it didn't understand the requirements or knew it did not have measures in place to protect its information systems and keep the data safe. Prosecutors might contend that the contractor acted with a "reckless disregard" for the truth or falsity of its compliance with stated cyber protection requirements.

If the government considers compliance to be a condition of payment or at least capable of influencing payment by the government, FCA exposure could follow under an express or "implied certification" theory. If it is a condition of payment, then the contractor will be liable for treble damages and civil penalties, which often run into the millions of dollars.

The dilemma for the contractor is whether to agree, while uncertain, or to forgo the chance to bid. Agencies, for their part, should be careful not to demand compliance with new requirements before companies have sufficient time to respond. An opportunity to explain and justify deviations from expected cyber protections will serve agency needs without creating contractor gotchas.

Neither the government nor its vendors are immune from cyberattack. The government should not force its contractors to accept exposure to FCA liability by demanding immediate compliance with cyber measures that will take time, effort, and investment to achieve.

About the Author

Brian D. Miller, a former General Services Administration inspector general, is a shareholder in the law firm of Rogers Joseph O'Donnell.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.