Do you do business with the government?
If you or your firm are a government contractor and suffer a security incident or misrepresent your cybersecurity practices, heads up.
The U.S. Department of Justice could sue you.
The DOJ recently said it would leverage the existing False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients.
The FCA allows for per claim penalties that range from $11,665 to $23,331 plus up to three times the amount of damages that the government sustains, according to an article in JDSupra.com.
The DOJ said that contractors – including individuals, employees, and federal grant recipients – who fail to report hacks or fail to follow government-required cybersecurity procedures – put government systems at risk. Hence the stepped-up enforcement effort.
The new initiative is part of a Biden administration effort to incentivize contractors and private companies to share breach information with the government and strengthen cybersecurity defenses. The federal government wants to raise cybersecurity efforts across the U.S. in hopes of fostering strong cybersecurity across public and private entities.
A DOJ official detailed in a speech ways contractors could face FCA enforcement:
- Failure to comply with cybersecurity standards.
- Misrepresenting the strength and breadth of security controls and practices.
- Failure to report breaches in a timely manner.
Measures you may need to review to assure compliance include:
- Assessing your vendors’ security measures as well as your own. The recent supply-chain breaches should serve as notice that you must use vendors who take security seriously if you serve the government.
“The government has made it clear protection of data is the grant recipient’s or contractor’s responsibility—not the third party,” an article in Compliance Week said.
- Review your “air gaps.” Make sure what you think is off the public internet can’t be accessed by someone’s unauthorized device. An unexpected back door could get you crossways with the government.
- Document your decisions, including reasons you haven’t implemented a measure or done a third-party risk assessment. Having documentation can help if you need to defend yourself.
We can help with all these measures – Risk Assessment, Documentation, Third-Party or Vendor Management – and more. We can also advise you on how to improve your situation if you know your organization has let some things slide – due to funding or staffing.
Contact us today for a confidential discussion of your concerns.