Page 11 - FCW, February 2016
P. 11

Commentary|BRIAN D. MILLER
BRIAN D. MILLER, a former General Services Administration inspector general, is a shareholder in the law firm Rogers Joseph O’Donnell.
The hidden cybersecurity risk for contractors
Companies could face friendly fire under the False Claims Act if they agree to cybersecurity requirements that haven’t been fully explained
After a rough year of cyberattacks and data breaches, the federal government is getting serious about protecting its sensitive information when it’s in the hands of contrac- tors. As a result, contractors are being sent to the front lines of the fight.
The Defense Department has imposed requirements to protect “unclassified controlled technical information” and recently expand- ed those obligations via interim rules with immediate effect. The National Archives and Records Administration is about to complete a new regulation to better protect sensitive but unclassified federal information. The National Institute of Standards and Technology has issued new cyber protection stan- dards for commercial companies. And the General Services Adminis- tration is poised to issue new rules for schedule holders.
We will see new cyber protection requirements in many solicitations and contract modifications. And an unwary contractor might become
a casualty when it certifies compli- ance, even implicitly, with “all IT security standards.”
For example, the second draft request for proposals for GSA’s Alli- ant 2 subjects contractors to “all ordering activity IT security stan- dards...and governmentwide laws or regulation applicable to the pro- tection of governmentwide informa- tion security.” How can a contrac- tor certify before it knows what “sensitive data and information”
will be part of the performance of
a task order — or even what all the standards will be? Yet if a company does not certify or impliedly certify, it might lose the chance to compete for a contract.
Agreement to the condition of providing cybersecurity that meets all the standards of any “sensi- tive data and information” could subject a contractor to risks under the False Claims Act. It could be
Agencies should be careful not to demand compliance with new requirements before companies have sufficient time
to respond.
almost reckless for a firm to agree to this without knowing what data must be protected and to what standards. Prudent companies should not enter into contracts that incorporate lists of cybersecurity obligations unless they understand the requirements and believe they can comply. For after a cyber inci- dent occurs, the contractor can be sure to expect extra scrutiny.
False Claims Act violations result in civil penalties of as much as $11,000 per violation, as well as treble damages. Here’s how it
would work: Suppose a contrac- tor makes a bid where the RFP contained multiple cybersecurity standards and requirements to pro- tect the federal data it will receive. A contractor could be exposed under the act if it didn’t under- stand the requirements or knew it did not have measures in place to protect its information systems. Prosecutors might contend that the contractor acted with a “reckless disregard” for the truth or falsity
of its compliance with stated cyber protection requirements.
If the government considers compliance to be a condition of payment or at least capable of influencing payment, False Claims Act exposure could follow under an express or “implied certification” theory. If it is a condition of pay- ment, then the contractor will be liable for treble damages and civil penalties, which often run into the millions of dollars.
The dilemma for the contractor is whether to agree, while uncertain, or forgo the chance to bid. Agen- cies, for their part, should be care- ful not to demand compliance with new requirements before compa- nies have sufficient time to respond.
Neither the government nor its vendors are immune from cyber- attack. The government should
not force its contractors to accept exposure to False Claims Act liability by demanding immediate compliance with cybersecurity mea- sures that will take time, effort and investment to achieve. n
February 2016 FCW.COM 11

   9   10   11   12   13