During remarks at CISA’s annual National Cybersecurity Summit, acting assistant attorney general Brian M. Boynton addressed the Department of Justice’s plan to use the False Claims Act against contractors who fail to disclose cybersecurity issues. Boynton identified three common cybersecurity failures that could result in FCA enforcement.
- Knowing failure to comply with contractual requirements. “When government agencies acquire cyber products and services, they often require contractors and grantees to meet specific contract terms, which are often based on uniform contracting language or agency-specific requirements,” Boynton noted. “The knowing failure to meet these cybersecurity standards deprives the government of what it bargained for.”
- Knowing misrepresentation of security controls and practices. “Misreporting about these practices may cause the government to choose a contractor who should not have received the contract in the first place,” Boynton said. “Or it could cause the government to structure a contract differently than it otherwise would have. Knowing misrepresentations of this kind also deprive the government of what it paid for and violate the False Claims Act.”
- Knowing failure to timely report suspected breaches. “Government contracts for cyber products, as well as for other goods and services, often require the timely reporting of cyber incidents that could threaten the security of agency information and systems,” Boynton remarked. “Prompt reporting by contractors often is crucial for agencies to respond to a breach, remediate the vulnerability and limit the resulting harm.”
Source:
