Cybersecurity Whistleblower Theatre: A Play in Three Acts
I am fortunate to be lead counsel for three excellent relators on two of the unsealed FCA cases under the Civil Cyber Fraud Initiative (CCFI). Since the CCFI was announced by the DOJ in October 2021, I have screened dozens of cyberfraud cases, accepted and filed more than a dozen of them, and am currently preparing several more, with no end in sight.
Over this time, I have seen a pattern emerging in the narrative—one that answers both the question of “why are we seeing these cases now?” and the question of “what makes a good case under the CCFI?” Upon being asked to write this blog, I thought that the story is best told as just that—a story. I thus present you with “Cybersecurity Whistleblower Theatre: A Play in Three Acts.”
Act I: Business as Usual, or “The Good Old Days”
Our curtains open on Buildem Tuff, Inc., (“BT”), an old school defense contractor who builds things for the military. (“Tuff things. Ruff things. Hard to Bluff Things.”). Buildem Tuff has been contracting with the Department of Defense directly and as a sub with other prime DoD contractors for many years. It takes pride in being a reliable and trusted partner who will always make a quality product and is very responsive to its government customers.
BT has always had top of the line technology needed for its main business, like CAD programs for its engineers, but for the most part, that was the main use for computers on campus. Over the years, executives gradually found other uses for computers, and as email, interoffice chat, and file sharing became more and more common, some weirdos even wanted to “dial in” from home. Eventually, in addition to its “real employees” (like designers, engineers, manufacturers, and quality control personnel), BT hired two IT Geeks,[1] Seamus and Sally, whose job is to keep the computers running.
Seamus has been with BT since the early 1990s and knows the system inside and out—because he built it. Sally joined more recently, because with all the new systems and data BT receives, Seamus needed help. He chose Sally because she has a background in cybersecurity that Seamus lacked. Seamus and Sally work in the basement, literally, and rarely interact with other folks unless there is a computer problem. Then they are summoned up from the depths of their Geek Lair to get things back up and running fast, so that the real work—building tuff things—can continue.
Oh, and one more thing. As the story opens, the IT Geeks have one extra role. Back in 2017, the Buildem Tuff C-Suite heard that from then on, when it contracted with DoD or its primes, it would have to certify that it was compliant with something called “the NIST standards.”[2]
A brief inquiry revealed that this NIST stuff was all just Computer Nonsense, and so it was sent down to the IT Geeks.
Sally and Seamus squabbled for a bit, because Sally, with her fancy cybersecurity background, wanted to be annoyingly precise about how the NIST controls worked. She even suggested that things might have to be changed.
Fortunately for BT executives, Seamus knows how to do things the Buildem Tuff way, and he kindly coached Sally not to bother the executives with details or, even worse, requests for budget. When Sally got feisty about it, Seamus took her off the project. After all, he reasoned, Buildem Tuff complied with the spirit of the cybersecurity controls, and as proof, they had never had a breach. (Or, at least, not that they knew of—BT had virtually none of the controls relating to assess and audit in place).[3]
Seamus then conducted the necessary “self-audit” of BT’s systems. He knew those systems intimately, so he didn’t bother writing out an SSP,[4] or trying to record exactly where in the systems the government data was being used.[5] He figured that overall, they weren’t perfect, but they were really close, so he assigned BT a score of 107 out of 110, which was put into the SPRS system, and crossed “NIST” off his list until the next self-assessment was due in three years. He also didn’t bother to do any POA&Ms. Not only did it seem like overkill when they already had a nifty score like 107, no one checks those things anyway. It would be a lot of work for nothing, he reasoned – and besides, some of that stuff didn’t make a lot of sense.[6]
Act II: “CMMC Cometh…”
One day, the C-Suite took notice of some buzzing it was hearing about the “Cybersecurity Maturation Model Certification,” or CMMC.[7] At first, it didn’t seem like a big deal. CMMC was just those same old NIST standards that the IT Geeks were already covering. But then it was discovered that while CMMC Level 2 involved the same controls, it would require a third party assessor.
That sounded a little…messy. And maybe expensive. Best to check in with the IT Geeks.
Seamus was brought to the C-Suite and confidently reported that all was well on the NIST front. However, once it was explained that the system would be assessed by some third-party Star Wars sounding robot,[8] he thought it might be a good time to check in with Sally.
Finally vindicated, Sally gave the PowerPoint of her life, explaining to the C-Suite that BT was not, in fact, in compliance with the NIST standards and in fact, never had been. She ended with an epic slide showing that a third-party assessment would net a score closer to negative 107 than 107,[9] and, throwing caution to the wind, provided an estimate to fix the problem that would have made the C-Suite’s collective hair curl, if they had any.
Alas, a prophet is never respected in his own land, and besides, Sally is a girl.[10] How could the C-Suite trust her gloomy doomy, probably hysterical assessment? And besides, even if she was right about the negative score, BT still had a year before it next had to report on the SPRS system again.[11]
The C-Suite decided to hire a Proper Expert to come in and assess the system, confident that the fix—if one was even needed—would be fast and cheap.
But upon arrival, the Proper Expert did the unthinkable: he agreed with Sally’s opinion! And an even more outrageous budget was proposed!
What to do?
The C-Suite was not happy. It was time to gather facts.
Upon investigation, it was determined that (1) the next SPRS report likely be based on self-assessment, with no one to gainsay the existing 107 score; and (2) nobody was sure when—if ever!—CMMC would be complete with federal rulemaking, so in short, there was plenty of time.
This position, widely lauded by the C-Suite, conveniently overlooks two important facts: there is already both an existing obligation and an existing misrepresentation.
In other words, BT was now lying to get money under its government contracts—prime and sub—to which it was not entitled.
Or, in short form, it was violating the False Claims Act.
Of course, no big announcement was made that BT had decided not to comply with NIST. Instead:
Proper Expert was sent away, saying that things would be handled “in house.”
Seamus and Sally were told to come up with a plan, but the plan somehow just never found its way onto any agendas, and never had budget, nor was there staff… maybe in next year’s budget…
Finally, the C-Suite informed (an annoyingly overly persistent) Sally that the company was “prepared to accept the risk” of not acting now, because it didn’t want to compromise “user experience” during the implementation.
Act III: “Enter the Whistleblower”
By this point, Sally is freaking out.
She alone seems to understand that BT can’t “accept the risk” for the government of having its data compromised.
She alone seems to understand that the obligation exists now, not at the time of future CMMC implementation.
Companies like BT do not like it when people freak out. It fires the annoying freaking out IT Geek. Bye, Sally.
Even though Sally might not have looked for an attorney before, Sally, at least, needs an employment lawyer.
Seamus is a little uneasy, too. What if Sally was right? Is he now on the hook for all the “self-assessments” if the government does come calling?
For that matter, Proper Expert is pretty concerned himself about the CUI he saw going unprotected at BT…
Fin
And thus the stage is set for the sequel: Company Pays Big Bucks to Do What It Should Have Done Already”!
This blog was written by Julie Bracker, a Partner at Bracker Marcus. This blog was edited by Darth Newman, the Founding Attorney at the Law Offices of Darth M. Newman.
Footnotes:
[1] As the wife of a certified (really) IT Geek, I am allowed to use this term. Your mileage may vary, but in my vast and varied experience, most Geeks claim it proudly.
[2] A bit more specifically, DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”), requires contractors to provide “adequate security” for covered defense information that is processed, stored, created, or transmitted on its internal information systems. Such covered information is known as Controlled Unclassified Information (CUI): information owned or created by the government that is sensitive, but not classified, such as technical data, patents, or information relating to the manufacture or acquisition of goods and services. Specific definitions and categories of CUI are published by government agencies.
“Adequate” security for protection of CUI is defined, at a minimum, as implementation of National Institute of Standards and Technology (NIST) Special Publication 800- 171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (“NIST 800-171”), online at https://www.nist.gov/cyberframework/framework (last visited Oct. 27, 2024).
From then on, all defense contractors were required to carry out Basic Assessments of their compliance with NIST SP 800-171 by reviewing their System Security Plan (SSP), and then submit their scores to the “Supplier Performance Rating System” (SPRS), which is housed on the DoD website. They had to do this whether or not the contract included CUI. If a contractor doesn’t have a perfect score of 110, then the SSP should include a Plan of Action & Milestones (POA&M, pronounced the same way us Georgians pronounce poem), which details how it will be working to reach full compliance. Contractors submit a new self-assessment score every three years.
[3] Fun fact: with no audit logs, no one knows if you have been breached or not. Perhaps that is why Acting Assistant Attorney General Brian M. Boynton, speaking at the Cybersecurity and Infrastructure Security Agency (CISA)’s Fourth Annual National Cybersecurity Summit on October 13, 2021, stated that “we have identified at least three common cybersecurity failures that are prime candidates for potential False Claims Act enforcement through [the CCFI]”, and only one included breaches. The first two are knowing failures to comply with cybersecurity standards and knowing misrepresentation of security controls and practices. The third, knowing failure to timely report suspected breaches, involves hiding a breach—but that’s the only one that requires a breach at all.
[4] By the way, failure to have an SSP is, itself, noncompliance with the DFARS.
[5] Proper scoping of the system or systems that transmit, use, or create CUI is a critical part of an SSP. This is another huge problem for BT.
[6] Lack of POA&Ms is one of the problems that Penn State was nailed for, by the way. https://www.justice.gov/opa/pr/pennsylvania-state-university-agrees-pay-125m-resolve-false-claims-act-allegations-relating (last visited Oct. 28, 2024) (“The settlement resolves allegations that, between 2018 and 2023, Penn State failed to implement cybersecurity controls that were contractually required by DoD and NASA and did not adequately develop and implement plans of action to correct deficiencies it identified.”)
[7] CMMC is a tiered model by which contractors will be certified by outside auditors. At Level 1, contractors will have to meet fifteen controls aligned with FAR 52.204-21 and do an annual self assessment and annual affirmation of compliance. At Level 2, which is where BT falls because it receives CUI, a contractor must meet the 110 NIST controls as assessed by a Certified Third Party Assessment Organization (“C3PAO”) and do an annual affirmation of compliance. At Level 3, a contractor will have to meet the 110 NIST controls and another 24 from NIST 800-172, have an assessment by DIBCAC every three years, and do an annual affirmation. https://dodcio.defense.gov/CMMC/about/ (last visited Oct. 28, 2024).
Earlier this month, on October 15, 2024, the CMMC program final rule was published, establishing the program. It can be found at https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program (last visited Oct. 28, 2024). The second CMMC rule, which will implement the program through the DFARS, is not far behind.
[8] In my practice, I prefer to call all C3PAOs “R2D2s.” Trust me, they love it.
[9] In a NIST audit, organizations gain a point for every implemented requirement, up to a maximum of 110, but subtract weighted penalty points (from -1 to -5) for each unimplemented or partially implemented requirement. The lowest possible score is actually -203.
[10] Of course, not all Sallys in these stories are girls. Nor are there always two IT Geeks—there could be dozens, or only one. The point is, the inhouse folks are often some combination of poorly trained, or overly busy on other things, or not prepared to go toe to toe with the C-Suite or their colleagues, or all of the above.
[11] At this point, Dear Reader, you will note that BT now has a knowing misrepresentation to the government. This would have been an excellent time to self-report and come up with those POA&Ms that would show BT’s good faith intention to fix everything. Of course, that would be…expensive.
