The US Department of Justice (DoJ) recently announced a new initiative to pursue organizations for cybersecurity fraud using the False Claims Act (FCA). Under these plans, organizations within the federal government’s supply chain will be held accountable for misrepresenting their practices. Or not abiding by contractual commitments to monitor cybersecurity and report incidents.
The proposed Civil Cyber Fraud Initiative follows on from President Biden’s Executive Order. The order set out the government’s commitment to strengthening its cybersecurity and that of its supply chain. This came in the wake of high-profile attacks such as the SolarWinds data breach.
The Department of Defense (DoD) has estimated the annual cost of all cyberattacks to be over $600 billion. It is hoped that these latest measures will help to hold contractors to their commitments to protect government information and infrastructure.
The DoD has been rolling out a number of new regulations on cyber reporting in recent years. This includes the Cybersecurity Maturity Model Certification (CMMC), a multi-tiered model for evaluating federal contractor’s systems. CMMC is largely based on the requirements set out by the National Institute of Standards and Technology (NIST) 800-171 requirements.
Any organization or contractor that works with controlled unclassified government information (CUI) must comply with NIST 800-171. Under the Cyber Fraud Initiative, those not complying with contractual cybersecurity commitments can be pursued using the FCA. If found to be at fault, they may be liable to receive a penalty.
When unveiling the new policy in October, Deputy Attorney General Lisa Monaco warned that this fine could be very hefty. And these damages can also be tripled if the organization is found to have intentionally committed cyber fraud.
The DoJ already uses the False Claims Act frequently to pursue organizations for other malpractices. These can include falsely invoicing for works not carried out. Last year alone, they recovered over $2.2 billion in settlements and judgments through the FCA.
Private citizens and contractor employees are encouraged to act as whistleblowers. Under the FCA, they can file qui tam suits, if they believe fraudulent activity has taken place. In return, the government guarantees them between 15% and 30% of the recovered amount.
Since the FCA was bolstered by Congress in the 1980s, around $64 billion dollars has been paid out to whistleblowers.
In light of this, all organizations in the government supply chain should be taking action. Increased measures to assess their compliance with all cybersecurity regulations and obligations are needed, as outlined in their contractual agreements. Tools such as Titania Nipper can be used to automate the auditing of core network devices.
Nipper can be used to detect exploitable misconfigurations or vulnerabilities and analyzes security gaps in line with best practice Risk Management Frameworks (RMF). The software’s unrivaled accuracy is achieved by virtually modeling a device configuration as a single entity to consider interdependencies in the core network. This is the only accurate way to detect misconfigurations.
When used with its native NIST 800-171 module, Nipper can automate the compliance assessment of 89% of the NIST 800-171 requirements across 8 control families.
Request a free trial of Titania Nipper to see how the tool can streamline your NIST 800-171 assessment today.