20ish years ago I was assisting the US Dept of Health and Human Services in investigating and prosecuting healthcare fraud – the primary method was the use of the False Claims Act (FCA) and receiving reports from a qui tam relator (AKA whistleblower). It was and remains very effective: In FY 2021 (ended Sept. 30, 2021) the DOJ announced it had settled claims totaling $5.6 Billion of which approximately 90% was from healthcare. Now I help government contractors get and stay in compliance.
Most everyone is well aware of Medicare and Medicaid fraud and the fact that people, health systems, insurers and ancillary care providers (Imaging, PT, Dentists, etc.) are prosecuted every year for fraudulent claim submissions.
However, the Department of Justice (DOJ) has taken a page out of the HHS playbook. Under Executive Order 14028 (Improving the Nation’s Cybersecurity, May 2021) all Federal Agencies were instructed to shore up their approach to cybersecurity. Multiple initiatives were delineated in the EO ( see: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on- improving-the-nations-cybersecurity/) including a new public-private Board to manage major incidents, significant requirements for software sold to the federal government, etc.. The DOJ took the directive and developed an initiative to put some teeth into the enforcement of these new requirements and developed a Civil Cyber Fraud Initiative (announced Oct. 2021) will also rely on the FCA.
According to the DOJ announcement, “The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
The National Cybersecurity Implementation Plan, released in July 2023, identified multiple high impact initiatives of which pursuing false claims prosecution is one : Initiative #3.5.2 is entitled “Leverage the False Claims Act to improve vendor cybersecurity.” It specifies that the DOJ will “expand efforts to identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants.”
What does this mean for a federal government contractor?
The FAR rules (52. 204-21 “Basic Safeguarding of Covered Contractor Information Systems”) outlines 15 principles that must be followed in cybersecurity for every agency of the federal government. DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” has far more rigorous requirements for defense contractors and subcontractors in that it contains 110 controls specified in NIST 800-171 that must be followed, self-assessed (currently) and reported as part of the procurement process for DoD. The resulting score must be entered in the Supplier Performance Risk System (SPRS) as one of the ratings used to evaluate suppliers in efforts to procure defense contracts.
Procurement and Acquisition officers and specialists in DoD have been told that they must use the SPRS scores this year and going forward as the use of the system has been erratic at best. Assuming the scores are used, it has become a focus area for the DoD now as the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) has egun looking at the scores members of the DIB have entered for their NIST 800-171 compliance. Knowing that a high score is more likely to achieve success and without taking a hard look at the requirements in many cases, almost 75% of the scores are a perfect 110. It is very difficult to achieve a perfect score and thus assessors from DIBCAC have begun taking a hard look at the companies with these scores and asking for evidence of the controls being in place and actually used. The population is doing rather poorly at substantiating the self-reported scores.
It should not be a surprise then that there is a push to have a heavier hammer to incent compliance (the FCA) and that there are plenty of new assessors in place to do the initial assessments. This is also why the CMMC (Cybersecurity Maturity Model Certification) has been put forward by DoD (though it creeps along, it is finally in the rule-making process).
There is just too much danger in the supply chain and directly to agencies of the federal government in cyber-attacks – whether software vulnerabilities (subject of another 3Comply blog), hacks, malware or attacks via cyber space. The war in Ukraine has demonstrated very clearly that there are many adversaries in cyberspace more than happy to attack the federal government. This is why there has been such focus in this area since the EO 14028 release in May 2021.
How do I learn more?
Give us a call and we will be happy to help!!
Schedule a call with us today – https://calendly.com/d/24f-dt5-d9f/30-minute-exploratory-session
Linked in page: https://www.linkedin.com/company/3comply