The DOD’s New CMMC Requirements and the False Claims Act
Recent well publicized data breaches pertaining to Department of Defense (DoD) unclassified information have caused the DoD to adopt new regulations for contractors who might be handling unclassified information for the DoD. On September 29, 2020, the DoD issued an interim rule aimed at implementing its Cybersecurity Maturity Model Certification (CMMC) program. There is no doubt that the CMMC will be a major change for government contractors, as the DoD will phase in stricter regulations over the course of the next four years pertaining to assessing contractor implementation of cybersecurity requirements to enhance the protection of controlled unclassified information (CUI) within the DoD supply chain. What will the new DoD CMMC regulations mean for government contractors looking to comply with the False Claims Act (FCA)? Senator Grassley and Acting Assistant Attorney General of the DOJ’s Civil Division Brian Boynton recently expressed support for wielding the FCA like a “sledgehammer” when it comes to cybersecurity-related fraud. As such, ensuring that your business is in compliance with the CMMC program should be at the top of every DoD contractor’s priority list.
Understanding the DoD’s New CMMC Regulations
The new CMMC interim rule will affect the Defense Federal Acquisition Regulation Supplement (DFARS), requiring all solicitations and contracts to contain the following clauses: DFARS 252.204-7019 (requiring contractors to have a current National Institute of Standards and Technology (NIST) SP 800–171 DoD Assessment) and DFARS 252.204-7020 (describing NIST SP 800-171 Assessment requirements). Over the next four years, DFARS 252.204-7021, which carries the substantive CMMC requirements, will be phased in to all DoD contracts and solicitations. Additionally, subcontracts will also be required to contain CMMC language.
There are a couple of instances where these rules will not come into play. First, these DFARS clauses will not be required in contracts for purchases at or below the micro-purchase threshold. See FAR 13.201(d). Second, when fully implemented, these DFARS clauses will not be required in purchases of commercially available off-the-shelf (COTS) items. If a COTS item is contained within a larger DoD purchase, however, that COTS product will be subject to the new CMMC regulations.
As of November 30, 2020, DFARS 252.204–7019 and DFARS 252.204-7020 are required within every DoD contract and solicitation. DFARS 252.204–7019(b) states “In order to be considered for award, if the Offeror is required to implement NIST SP 800–171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204–7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.” The requirements and methodology for obtaining a “Basic, Medium, and High” assessment rating are located in the NIST SP 800-171. Essentially, contractors who do not have the correct qualifications will be pre-empted from bidding on projects that require the contractor to have a certain level of assessment. For instance, NIST SP 800-171 states that a “Basic Assessment results in a confidence level of ‘Low’ in the resulting score [when bidding on a solicitation] because it is a self-generated score.” Similarly, an NIST SP 800-171 assessment of “High” is viewed by the DoD as “the preferred methodology for a full evaluation of the risk to DoD CUI because of the ability to verify and validate the effectiveness of the safeguards that implement security requirements defined in NIST Special Publication 800-171.” Ultimately, an NIST SP 800-171 Assessment of “High” also results in a DoD confidence level of “High” when bidding on DoD solicitations.
To achieve a “Medium” or “High” assessment, the contractor will have to allow for DoD personnel to review and assess approximately one-hundred and ten (110) NIST SP 800-171 controls for compliance with DoD standards and protection of CUI. A contractor’s NIST SP 800-171 assessment results will be available throughout the DoD on the Supplier Performance Risk System (SPRS), a database that tracks contractor compliance with the CUI security requirements. The interim rule states the DoD expects to assess approximately 200 entities a year at the “Medium” rating and 110 entities a year at the “High” rating. Subcontractors must also have their information listed in the SPRS database.
As of November 30, 2020, DoD Contracting Officers are required to check the SPRS database to ensure government contractors have a valid SPRS assessment. This includes the renewal of options under an existing contract. As part of the phasing in of the new CMMC rules, the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment will determine which solicitations require the DFARS 252.204-7021 CMMC requirements.
The new CMMC rules, similar to the NIST SP 800–171 assessment requirements, will provide that government contractors have a current (within three years) CMMC certificate during the duration of a government contract. See DFARS 252.204-7021. *Of note, the DoD asked for comments with respect to this proposed rule, which means some details like this might change.* Again, as mentioned above, this requirement will be phased in over the course of the next four plus years and will apply to all government contracts after September 30, 2025. The size of a contractor will not be taken into consideration, as “All CMMC levels are achievable by small, medium, and large contractors.” (Turn to page 6 of this .pdf). However, many smaller contractors simply will not have the expertise to become and stay compliant. A veritable industry of CMMC compliance experts seems to have emerged over the past few months promising to get your business up to CMMC compliance standards.
CMMC Third Party Assessment Organizations (C3PAOs) will be designated by the DoD to assess and certify a contractor’s compliance with the CMMC. There will be five levels (page 8 of .pdf) CMMC certification ranging from “Basic Cyber Hygiene” to “Advanced/Progressive”. Of note, a Level 1 certification will not make a contractor eligible to handle CUI. That only occurs when a contractor achieves Level 3 certification. When compared to NIST SP 800–171certification, CMMC Level 3 will have the same one-hundred and ten (110) requirements required to receive a “High” NIST SP 800–171 rating. Additionally, the CMMC will require additional practices and processes from other standards(FAQ #8), references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
A contractor will have a few options available when seeking CMMC certification. It can have the CMMC certification apply to its entire network, or it can seek certification for those parts of its network that will be handling CUI. As with NIST SP 800-171 compliance, CMMC compliance is applicable to all subcontractors depending on the level of information they will be handling under the contract.
The FCA
The False Claims Act (FCA) is a Civil War era law originally enacted to protect the federal government against the onslaught of false claims that ensued immediately after the war began. It has undergone several transformations over the years, but probably none as strong as the 1986 FCA Amendments drafted by Senator Chuck Grassley. The 1986 FCA Amendments strengthened qui tam relator rights in the FCA.
Qui tam relator rights can be found at 31 U.S.C. § 3730, which states the qui tam plaintiff is entitled to 15-25% of whatever proceeds come from a case, either from judgment or settlement if the Government decides to move forward with an action.
When the Government does not proceed with a qui tam action, the qui tam relator becomes entitled to 25-30% of the proceeds from a case, to include reasonable expenses and attorneys’ fees and costs. 31 U.S.C. § 3731(d) states the Government (or qui tam relator) need only prove the elements of an FCA cause of action by a preponderance of the evidence.
Senator Grassley’s newest push to beef up qui tam relator rights comes after the Supreme Court’s 2016 decision in Universal Health Services, Inc. v. United States, ex rel. Julio Escobar and Carmen Correa, 136 S.Ct. 1989 (2016) (hereinafter “Escobar”). In Escobar, the Supreme Court unanimously held FCA actions entail a defendant knowingly violating a contractual requirement with the Government and that the defendant knows that violation is material to the Government’s payment decision. Id. at 1996. Prior to Escobar, the Court had read the materiality provision in 31 U.S.C. § 3729 as an objective materiality test—whether a given provision was material to a contract and whether “the false statement [a defendant] makes in an attempt to obtain government funding has a natural tendency to influence or is capable of influencing the government’s funding decision.” United States ex rel. Harrison v. Westinghouse Savannah River Co., 352 F.3d 908, 916–17 (4th Cir. 2003). Afterwards, however, the materiality test shifted to a focus on the Government’s actual conduct—whether the false statement actually had an effect on the Government’s decision to pay out a claim. Many in the FCA world, including Senator Grassley, viewed this as lessening the strength of the FCA, as both relators and the Department of Justice now had a harder task in providing evidence to show the Government’s actual decision to pay out a claim was influenced by a defendant’s false statement.
In response, qui tam plaintiffs took to mining publicly available data with the intent of finding evidence to support the notion that the Government’s actions in paying out a claim were influenced by a false statement.
The CMMC in light of the FCA
Government contractors need to be acutely aware of a few things over the phase in years with respect to CMMC compliance and the FCA. First, CMMC compliance requirements will be a sprawling and possibly continuously moving target (depending on a contractor’s level of compliance) for any DoD government contractor for the foreseeable future. Under the CMMC, DoD contracts will have over 110+ points of failure which numerous IT personnel will be watching, as well as potential qui tam relators. This will require constant vigilance, as the current interim rule requires compliance throughout the course of a contract.
Second, and somewhat related, given the jurisprudence that has arisen after Escobar, it is highly likely that payouts to DoD Government contractors who are not in compliance with the CMMC will be viewed as material given the DoD’s emphasis on compliance with the CMMC regulation. The real litigation will take place in determining whether failure and non-disclosure of one or more of the new CMMC requirements during the course of a contract (but while a contractor still has CMMC certification) render a cause of action under the FCA. Ward & Berry has identified this as a particularly high litigation risk area. Constant vigilance of a contractor’s compliance with the CMMC will be essential to overcoming any FCA claims.
Finally, under the new Biden administration (with support across the aisle from at least Senator Grassley), DoD Government contractors should expect that the Department of Justice will take a more active and aggressive role in FCA litigation. DoD Government contractors should constantly be aware of any changes in law or regulation that will increase their exposure to FCA litigation.
To summarize, the DoD’s new CMMC regulations have the potential to exponentially increase a DoD contractor’s exposure to the FCA. Constant vigilance and compliance with the CMMC will be key to overcoming and minimalizing any CMMC violations. Should you need any help in this arena, Ward & Berry has FCA experience to help your business mitigate its risk, respond to government investigations, and defend FCA-based lawsuits.