Author: Tara Lemieux, CMMC Consultant, PA/PI/CCP/CCA/ISO Lead Auditor
Each day, as we peruse the news headlines, it seems inevitable that we will encounter stories of companies held hostage by ransomware attacks, reeling in the aftermath of a massive breach of sensitive information, or facing other catastrophes attributable to inadequate cybersecurity measures. These cyber incidents not only damage the company’s business reputation, but they also usually lead to financial losses, a decline in shareholder trust, and the potential termination or resignation of the involved executives. And for those companies presently doing business with the Department of Defense (DoD) and entrusted with the care of our nation’s critical data – they can and will likely face even greater consequences.
As a result, the Department of Justice (DoJ) has made safeguarding our nation’s data its number one priority, launching a Civil Fraud Initiative that aggressively targets fraudulent activities – including, misrepresentations of cybersecurity compliance – that may ultimately impact our government programs.
Recent actions against Verizon Business Network Services, LLC (Verizon) and Penn State University shed light on the DoJ’s commitment to upholding rigorous cybersecurity standards, and the vital role that these enforcement actions play in protecting our Defense Supply Chain (DSC).
In the case of Verizon, the DoJ alleged that the company failed to fully satisfy required cybersecurity controls while providing information technology services to our federal agencies. More specifically, Verizon knowingly misrepresented its cybersecurity compliance status while submitting proposals for and being granted contracts under the General Services Agency (GSA). As these contracts provided information technology services, including Managed Trusted Internet Protocol Services (MTIPS), to federal agencies – Verizon was required to verify and ensure continued compliance with federal cybersecurity standards, as well as the Trusted Internet Connections standard. Although Verizon did not admit liability, they did ultimately agree to pay $4,091,317 to resolve these allegations under the False Claims Act.
In a separate filing, Penn State University became the target of a DoJ investigation following a whistleblower complaint. Specifically, DoJ alleged that the university had been providing self-attestations of compliance to the DoD as required since December 31, 2017, but ultimately reported the university lied or misled its adherence to government cybersecurity protocols when contracting with the federal government.
What makes the Penn State case even more disconcerting are the revelations from Matthew Decker, the Chief Information Officer at Penn State’s Applied Research Laboratory. Decker discovered that Penn State’s registration within the Supplier Performance Risk System (SPRS) showed missing records for a specific project. Decker disclosed that the University “simply uploaded template documents to ‘solve’ the missing records problem” and that the risk assessment scores, artifacts, and incomplete records entered into the SPRS were knowingly false. It was his testimony that served as the basis for this action and underscores the DoJ’s commitment to protecting data and information.
As these cyber threats become far more pervasive, the Cybersecurity Maturity Model Certification (CMMC) serves as a crucial response. CMMC provides a framework aimed at enhancing the cybersecurity posture of organizations working with the DoD. Under the CMMC Assessment Process (CAP), independent assessments play a critical role in ensuring that organizations adhere to mandated cybersecurity standards and controls.
These assessments help identify vulnerabilities and areas of improvement, enabling organizations to fortify their cybersecurity defenses. They also serve to ensure security controls are implemented correctly and operating as intended, making them an indispensable component of our collective efforts to enhance our cyber resilience and protect the integrity of U.S. critical data and systems.
Federal contractors should be aware that they may face significant penalties under the False Claims Act for misrepresentation of their cybersecurity compliance, willful or otherwise. In these cases, the contractor may be held liable for up to three times the actual damages realized, in addition to mandatory penalties of $11,000+ per incident. More notably, these actions may result in the potential loss of contracts with the DoD. This serves as an important deterrent, motivating organizations to take their cybersecurity obligations seriously.
Collectively, this represents a critical step forward in securing our Nation’s Defense Supply Chain. These cases against Verizon and Penn State University not only underscore the DoJ’s unwavering commitment to upholding cybersecurity standards, they also serve as a reminder that cybersecurity cannot be compromised.
As cyber threats become increasingly more sophisticated, our collective efforts, including CMMC and its rigorously objective assessments, are indispensable in safeguarding our nation’s critical data and systems. With the potential for substantial penalties, the False Claims Act underscores the imperative of meticulous cybersecurity compliance. As this threat continues to unfold, we must remember that each of us plays a vital role in strengthening our cyber defenses and preserving our national security.
Are you confident in your compliance requirements?