To put the facts in perspective, in June 2015, the National Institute of Standards and Technology (NIST), which is responsible for developing information security standards and guidelines, published Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171. This standard imposed new obligations on defense contractors for protecting Controlled Unclassified Information (CUI). In Aug. 2015, the Department of Defense issued an interim rule requiring contractors to implement SP 800-171. See 48 CFR 252.204-7012 (Aug. 2015). In Dec. 2015, DoD amended the interim rule to allow contractors until Dec. 31, 2017 to have compliant or equally effective alternate controls in place. See 48 CFR 252.204-7012(b)(1)(ii)(A) (Dec. 2015). Each version of the regulation defined adequate security as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” 48 CFR 252.204-7012(a).
While the defendants told DoD that they did not comply with certain aspects of the cybersecurity regulations, relator’s implied certification FCA claim was based on the defendants’ allegedly false representations that they otherwise complied with the remaining aspects of SP 800-171. An implied false certification claim requires two elements: (1) the claim does not merely request payment but also makes specific representations about the goods or services provided, and (2) the defendant’s failure to disclose noncompliance with material statutory, regulatory or contractual requirements makes those representations misleading half-truths. Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S.Ct. 1989, 2001 (2016). The court, accepting plaintiff’s allegations as true as it must in response to a motion to dismiss, held that while defendants disclosed some of their noncompliance, “a partial disclosure would not relieve defendants of liability where defendants failed to ‘disclose noncompliance with material statutory, regulatory, or contractual requirements.’” The court thus denied the motion to dismiss relator’s FCA claim.
In Escobar, the Supreme Court stated that “if the Government pays a particular claim in full despite its actual knowledge that certain requirements were violated, that is very strong evidence that those requirements are not material.” Id. at 2003. For that reason, if the defendants can depose the contracting officer and establish that the alleged violations were not material to the Government’s decision to enter into the contract defendants may be able to prevail at summary judgment.
A lesson for contractors is to be sure to disclose those areas where you do not fully comply with the requirements for a contract offering. A full disclosure will allow you to argue that the requirements were not material to the Government’s contracting decision. A failure to disclose makes that argument much harder than it has to be, especially in the fast-paced area of cybersecurity.
For small contractors still struggling to understand, much less comply, with the cybersecurity requirements, Section 1644(b) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 states DoD will be helping small manufacturers and universities conduct voluntary self-assessments in order to understand operating environments, cybersecurity requirements and existing vulnerabilities, including through the Mentor Protégé Program, small business programs and engagements with defense laboratories and test ranges.