The False Claims Act and CMMC
Since the Department of Defense (DoD) became aware of some data breaches in 2019 that involved leaks of unclassified information, they’ve sought to establish new standards of data safety with their contractors.
The Cybersecurity Maturity Model Certification (CMMC) outlines 5 levels of cybersecurity protocols, each pertaining to different levels of required security for contractors.
These protocols will be mandatory for those who want to do business with the DoD by 2026, but the expectation that companies are following the security guidelines or are at least demonstrating advancement toward compliance is already here.
As companies work toward compliance, CMMC Third-Party Assessment Organizations (C3PAO) will begin to conduct audits to ensure that all of the necessary steps are being taken.
What Is the False Claims Act (FCA)?
While the False Claims Act has existed since 1863, it wasn’t until modifications were made in 1986 that it changed into the whistleblower protection and anti-fraud law that it is today.
Originally, the law was used to protect the Federal Government against fraud, particularly against defense contractors who sold ineffective or broken weapons.
Because it was enacted during Abraham Lincoln’s presidency, the FCA was also known for many years as the “Lincoln Law
How the False Claims Act (FCA) Will Be Used with CMMC
The DoD is highly sensitive to cybersecurity threats following some serious data breaches over the last few years. They will be wielding the power of the FCA to ensure that the companies that they do business with will not be lax in their cybersecurity efforts, nor will they attempt to falsify claims, documents, or reports.
Companies that wish to continue their contracts with the DoD will need to heed their warnings and obey their requirements. This does not mean that accidents will be punished. Accidentally misfiling a document or letting typos slip through would not count as an act of fraud. Instead, a knowing violation of the law is what will get a business into trouble.
The DoD will punish:
- Knowingly creating or providing ineffective cybersecurity programs, products, or services
- Lying about the effectiveness of protocols and practices
- Failing to monitor and report breaches and incidents
Any company doing business with the DoD must be continually vigilant to stay compliant. Coverups of mistakes will be treated just as harshly as willful non-compliance.
In the past, the FCA outlined the punishments that could be used for entities that presented false claims. These would represent a value that was double the government’s standard penalties. In addition, false claims would cost the business or person an additional $2,000 per claim.
Punishment is still outlined in the FCA today. However, under the new guidelines, violators may be liable for treble damages (three times the damages) and a penalty fee that is specifically linked to inflation.
Both the government and whistleblowers may initiate cases under the FCA and seek damages. Liability can stem from false certifications of compliance, both implied and explicit, of any contractual, regulatory, or material obligations.
Proving the Claims
Claims of fraud don’t automatically lead to punishment under the new regulations. The claims require proof that willful, knowing fraud occurred.
However, since companies who do business with the DoD have been claiming compliance with National Institute of Standards and Technology (NIST) and Federal Acquisition Regulation (FAR) standards for years — which is the very set of standards that the CMMC regulations stem from — it will be difficult for any companies to prove that the CMMC is an undue burden. This leaves contractors with few excuses when they make mistakes.
In other words, if a company is found to be non-compliant or submits false reports, they will not be able to claim that “I didn’t know I wasn’t allowed to submit this” or “the rules are too difficult to follow.” While claims of fraud need to be supported by evidence, so do claims that the CMMC is too difficult to understand.
How Companies Should Respond
Because the CMMC requirements are here to stay (and may even change to become more stringent over time), companies that desire to have their DoD contracts continue should enact policies and procedures now to stay compliant with the law.
Aside from avoiding a conflict with a government agency and running into legal issues, compliance with cybersecurity regulations protects your business, as well.
The regulations found in each of the five levels of the CMMC outline degrees of cyber health. The more “cyber-healthy” your company becomes, the better it will be at handling data safely for government and civilian clients alike.
In other words, it’s good business to have tough cybersecurity protocols.
If you want to improve your current protocols, there are many steps that you can implement right away. Some procedures you can put in place to maintain positive cyber-health are:
- Once rules, regulations, and procedures are put into place, test them regularly.
- If there are any shortcomings in any of the protocols, products, or personnel as pertains to keeping data safe, address them.
- Document everything — this will come in handy when analyzing your cybersecurity procedures or dealing with C3PAO audits.
- Create internal reporting requirements and establish ethics hotlines
- Considering working with a managed services provider that specializes in IT support, cybersecurity, and compliance.
- Respond properly before a complaint leads to a lawsuit
- When submitting Basic Assessments to the DoD regarding compliance to cybersecurity controls, do not guess or estimate
The more focus your business can put on transparency, the better. Even the appearance of hiding security concerns can lead to trouble.
The DoD is only going to get tougher on protecting sensitive data from the threats of cybercrime. The breaches they’ve faced have increased the organization’s resolve. The DoD is fully willing and able to use the FCA’s penalties as a method of making their contractors fall in line if they want to continue their contracts.
From the DoD’s point of view, the CMMC doesn’t represent any major change to the level of cybersecurity they’ve been expecting for some time. It’s up to the businesses they work with to pursue proper levels of certification and to ensure compliance through audits.