The hidden cybersecurity risk for federal contractors

After a rough year of cyberattacks and data breaches, the federal government is getting serious about protecting its sensitive information when in the hands of its contractors. As a result, contractors are being sent to the front lines of the fight.

Already, the Defense Department has imposed requirements to protect ""unclassified controlled technical information"," and it recently expanded these obligations via interim rules with immediate effect. The National Archives and Records Administration is about to complete its new regulation to better protect sensitive but unclassified federal information. The National Institute of Standards and Technology has issued new cyber protection standards intended for commercial companies. And the General Services Administration stands poised to issue new rules for schedule holders.

We are going to see new cyber protection requirements in many solicitations and contract modifications. And an unwary contractor might become a casualty when it certifies compliance, even implicitly, with "all IT security standards." For example, the second draft request for proposals for GSA's Alliant 2 subjects contractors to "all ordering activity IT security standards … and government wide laws or regulation applicable to the protection of government wide information security." How can a contractor certify before it knows what "sensitive data and information" will be part of the performance of a task order? Or even what all the standards will be? Yet if a contractor does not certify or impliedly certify, it may lose the chance to compete for award.

Agreement to the condition of providing cyber security that meets all the standards of any "sensitive data and information" could subject a contractor to risks under the False Claims Act. It could be almost reckless for a firm to agree to this without knowing even what data must be protected and to what standards. Prudent companies should not enter into contracts that incorporate lists of cyber obligations unless they understand the requirements and believe they can comply. For after a cyber incident occurs, the contractor can be sure to expect extra scrutiny.

FCA violations result in civil penalties of up to $11,000 per violation, as well as treble damages. Here's how it would work. Suppose that a contractor makes a bid where the RFP contained multiple cyber security standards and requirements to protect the federal data it will receive. A contractor could be exposed under the FCA if it didn't understand the requirements or knew it did not have measures in place to protect its information systems and keep the data safe. Prosecutors might contend that the contractor acted with a "reckless disregard" for the truth or falsity of its compliance with stated cyber protection requirements.

If the government considers compliance to be a condition of payment or at least capable of influencing payment by the government, FCA exposure could follow under an express or "implied certification" theory. If it is a condition of payment, then the contractor will be liable for treble damages and civil penalties, which often run into the millions of dollars.

The dilemma for the contractor is whether to agree, while uncertain, or to forgo the chance to bid. Agencies, for their part, should be careful not to demand compliance with new requirements before companies have sufficient time to respond. An opportunity to explain and justify deviations from expected cyber protections will serve agency needs without creating contractor gotchas.

Neither the government nor its vendors are immune from cyberattack. The government should not force its contractors to accept exposure to FCA liability by demanding immediate compliance with cyber measures that will take time, effort, and investment to achieve.