If you are part of the Department of Defense (DoD) supply chain, you likely have various Defense Federal Acquisition Regulation Supplement (DFARS) disclosures that you must attest to during the course of doing business.
As a critical component of the Defense Industrial Base, most small manufacturers stay laser-focused on high-quality operations. No company signs their DFARS disclosures with the intention of violating the False Claims Act (FCA). However, for many DoD suppliers DFARS clause 252.204-7012 Safeguarding Covered Defense Information & Cyber Incident Reporting can be just another form to sign. It is important that companies understand the obligations contained in the clause or the potential legal ramifications for failing to comply.
According to the global law firm DLA Piper in May of 2019, “For the first time, a district court has held that a contractor's failure to comply with a US government contract's cybersecurity requirements can expose a company to False Claims Act (FCA) liability.” DLA Piper summarizes the issue by saying, “The decision highlights the expansion of False Claims Act risk for contractors in an area that already presents unique challenges, and underscores the importance of cybersecurity compliance.”
FCA liability can emerge from not just incorrectly claiming that you employ adequate cybersecurity under DFARS, but also from failing to disclose deficiencies. There are many cybersecurity requirements in DFARS clause 252.204-7012 and, unfortunately, that means there are many missteps that small suppliers can make. Each violation of the False Claims Act carries a potential penalty. Currently, those penalties range from $11,665 to $23,331. In some instances, FCA penalties have totaled several million dollars.
Ultimately, False Claims Act penalties are a significant risk to small businesses. Even if your organization is not singled out for a cybersecurity audit, seemingly far-off cybersecurity incidents within the interconnected Defense Industrial Base can quickly have a DoD cybersecurity investigation knocking on your door.
CMTC has tremendous experience in providing cybersecurity training and technical assistance on DFARS cybersecurity requirements. Do not hesitate to reach out to CMTC for more information on the topics discussed here or for help demystifying and understanding the complex world of cybersecurity and how it affects your business.
*This blog post does not constitute legal advice. Companies should consult with their legal advisors.