The hidden cybersecurity risk for federal contractors

Shutterstock image. Copyright  enzozo.

After a rough year of cyberattacks and data breaches, the federal government is getting serious about protecting its sensitive information when in the hands of its contractors. As a result, contractors are being sent to the front lines of the fight.

Already, the Defense Department has imposed requirements to protect ""unclassified controlled technical information"," and it recently expanded these obligations via interim rules with immediate effect. The National Archives and Records Administration is about to complete its new regulation to better protect sensitive but unclassified federal information. The National Institute of Standards and Technology has issued new cyber protection standards intended for commercial companies. And the General Services Administration stands poised to issue new rules for schedule holders.

We are going to see new cyber protection requirements in many solicitations and contract modifications. And an unwary contractor might become a casualty when it certifies compliance, even implicitly, with "all IT security standards." For example, the second draft request for proposals for GSA's Alliant 2 subjects contractors to "all ordering activity IT security standards … and government wide laws or regulation applicable to the protection of government wide information security." How can a contractor certify before it knows what "sensitive data and information" will be part of the performance of a task order? Or even what all the standards will be? Yet if a contractor does not certify or impliedly certify, it may lose the chance to compete for award.

Agreement to the condition of providing cyber security that meets all the standards of any "sensitive data and information" could subject a contractor to risks under the False Claims Act. It could be almost reckless for a firm to agree to this without knowing even what data must be protected and to what standards. Prudent companies should not enter into contracts that incorporate lists of cyber obligations unless they understand the requirements and believe they can comply. For after a cyber incident occurs, the contractor can be sure to expect extra scrutiny.

FCA violations result in civil penalties of up to $11,000 per violation, as well as treble damages. Here's how it would work. Suppose that a contractor makes a bid where the RFP contained multiple cyber security standards and requirements to protect the federal data it will receive. A contractor could be exposed under the FCA if it didn't understand the requirements or knew it did not have measures in place to protect its information systems and keep the data safe. Prosecutors might contend that the contractor acted with a "reckless disregard" for the truth or falsity of its compliance with stated cyber protection requirements.

If the government considers compliance to be a condition of payment or at least capable of influencing payment by the government, FCA exposure could follow under an express or "implied certification" theory. If it is a condition of payment, then the contractor will be liable for treble damages and civil penalties, which often run into the millions of dollars.

The dilemma for the contractor is whether to agree, while uncertain, or to forgo the chance to bid. Agencies, for their part, should be careful not to demand compliance with new requirements before companies have sufficient time to respond. An opportunity to explain and justify deviations from expected cyber protections will serve agency needs without creating contractor gotchas.

Neither the government nor its vendors are immune from cyberattack. The government should not force its contractors to accept exposure to FCA liability by demanding immediate compliance with cyber measures that will take time, effort, and investment to achieve.

About the Author

Brian D. Miller, a former General Services Administration inspector general, is a shareholder in the law firm of Rogers Joseph O'Donnell.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.