Editor’s note: Jingcong Zhao also contributed to the development of this article.
In October 2021, Department of Justice (DOJ) Deputy Attorney General Lisa Monaco announced the creation of the new Civil Cyber-Fraud Initiative. With cybersecurity attacks and data breaches at an all-time high, the initiative will crack down on government contractors and grant recipients’ security practices in order to limit future cybersecurity incidents. The DOJ will utilize the False Claims Act to force organizations that work with the government to be more forthcoming about cybersecurity incidents.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Monaco in a DOJ press release. “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
Now that the new initiative is in place, many organizations and individuals (especially company executives) need to be much more diligent to avoid misrepresenting their cybersecurity practices or protocols. Mischaracterizations of a company’s cybersecurity practices won’t just hurt your chances to win business, they can get your company in trouble legally. With this in mind, it’s important to know if and how you could be affected by the initiative and what you can do to proactively prevent any violations.
Highlights of the Civil Cyber-Fraud Initiative
Use of the False Claims Act (FCA) and Whistleblowers
Around since the Civil War, the False Claims Act is the main device used by the U.S. government to expose and fight fraud involving federal programs and operations. This law imposes hefty fines on entities who are found guilty of purposely submitting “false claims” to the government. While it is a relatively old law, the FCA has been revised multiple times to bring it into the current era and has recently been used to focus on corporate fraud and compliance.
A major part of the FCA that will directly influence the Civil Cyber-Fraud Initiative is the whistleblower provision. This piece of the act allows employees and contractors to provide information about their employer (the government contractor or grant recipient) that may be involved in fraudulent cybersecurity practices. The False Claims Act protects whistleblowers against any retaliation by named organizations. Private individuals can file suits on behalf of the government and receive a percentage of the money recovered.
Allegations That Could be Investigated
The DOJ flagged the following as the types of situations that might lead to an organization or an individual being investigated:
- Knowingly providing deficient cybersecurity products or services
- Knowingly misrepresenting their cybersecurity practices or protocols
- Knowingly violating obligations to monitor and report cybersecurity incidents and breaches
“Knowingly” appears to be the key word with any of these forms of allegation. That said, there are some routine organizational practices that, when not monitored or set up correctly, could lead to accidental violations.
Who Could be Impacted
The following were identified by the DOJ as groups of interest:
- Government contractors: Private organizations that produce and sell goods or services for the U.S. government.
- U.S. government grant recipients: Entities who have received federal money in the form of contracts, grants, loans, or other financial assistance.
These groups may seem quite specific, but because cyberattackers don’t discriminate by industry, organizations of all types should be acutely aware of their inclusion in either group.
Common Practices That Could Lead to Violations
- Improper data access/permissions for users outside the U.S.—Whether you’re a U.S.-based organization with satellite offices in other countries, or you employ contractors outside of the U.S., it can be difficult to monitor permissions given to people in other countries. Improper data access/permissions given to non-U.S. citizens can open up any organization to many potential cybersecurity vulnerabilities and threats.
- Misuse and/or mismanagement of secure shell (SSH) keys—An SSH key is an access credential for the SSH (secure shell) network protocol. These keys are often used by remote teams to share files on unsecured open networks. If SSH keys are misused and/or mismanaged, they can create gaps in security on organizations’ networks.
- Failure to notify proper parties when a breach occurs. Your organization may have a written policy in place detailing how you plan to respond when a cybersecurity incident or a data breach occurs. You’ll need to make sure all parties involved know what exactly they need to do to respond to an incident, such as notifying the impacted government agency within a designated time frame and filing proper reports. If your staff isn’t trained on their roles and responsibilities, or if they don’t know when an incident has to be reported to the government agency you work with, you will be in violation of the new initiative.
- Failure to verify the information your security team put in your system security plan. If you’re a government contractor, you’re familiar with System Security Plans (SSP), Plans of Actions and Milestones (POA&M), and frameworks like NIST SP 800-171. A system security plan describes your operational environment and how security requirements (as required by NIST SP 800-171) are implemented in your environment. Federal agencies consider the submitted SSPs and POA&Ms as a critical input to their decision on whether to contract with a private organization. Now more than ever, company officers ought to make sure their security team is producing accurate SSPs and POA&Ms. Make sure your security team has a monitoring system in place—so they can check that security requirements are being met throughout the year and have the data to back up their claims.
Steps to Prevent Civil Cyber-Fraud Initiative Fines
The implementation of the Civil Cyber-Fraud Initiative is something that organizations that work with the U.S. government can’t ignore. While strengthening the documentation and reporting of your cybersecurity compliance might seem daunting, there are some steps you can take that can help to make the job easier.
- Make sure you really understand what you’re being asked to do
Review your contract, then review it again. For instance, if you’re supposed to follow NIST SP 800-171, per your contract, you need to be sure you’re actually following all the requirements. Compliance frameworks like NIST SP 800-171 and FedRAMP are very detailed and time-consuming to complete, but they need to be followed exactly for your organization to be protected from potential issues with the Civil Cyber-Fraud Initiative.
If you’re looking to renew your contract, now is the time to start reviewing your controls and monitor how they’re working. You also need to see if there are requirements you’re not fully meeting and make sure those gaps are being addressed/remediated.
- Stay on top of documentation
Documentation is at the foundation of all compliance work. It’s vital to know if you have solid documentation on the controls that exist in your organization. In addition, you need to know if you are collecting the right evidence of your compliance activities.
With this in mind, you may want to hire an expert to do a gap assessment and analyze your current environment. This will help you to figure out the delta between what you’re doing today and the requirements you’re meant to follow (like NIST SP 800-171)—make sure you’re really as compliant as you think you are.
- Maintain Good Cybersecurity Hygiene
Return to and review data protection basics, such as:
- Locate and identify the systems and solutions in your network that store or transfer Federal information. These are the systems you’ll need to protect.
- Implement controls — policies, procedures, processes, and technical solutions — to protect information.
- Train your employees on how to use and transfer Federal Information (FI) in a way that is consistent with the requirements set out in NIST SP 800-171.
- Monitor who’s accessing your FI and for what purpose; be able to record all user activities and ensure that each action can be traced back to an individual.
- Periodically assess the controls in organizational systems to see if the controls are effective in their application. This assessment should be done on a regular basis to ensure that current processes will continue to protect FI.
- Scan for vulnerabilities in organizational systems and applications periodically, and when new vulnerabilities affecting those systems are identified, remediate them.
Frameworks Government Contractors and Grant Recipients Need to Know
The NIST SP 800-171 is shorthand for the National Institute of Standards and Technology Special Publication 800-171, Security and Privacy Controls for Federal Information Systems and Organization. NIST SP 800-171 provides recommended security requirements for protecting the confidentiality of controlled unclassified information (CUI) governed by the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS).
Requirements for NIST SP 800-171:
The requirements recommended for use in SP 800-171 are derived from FIPS 200 (Federal Information Processing Standards Publication), and the moderate security control baseline in NIST SP 800-53. The requirements and controls have been determined over time to provide the necessary protection for federal information and systems that are covered under FISMA (The Federal Information Security Modernization Act of 2014), which requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency or information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.
Who Needs to Comply With NIST SP 800-171?
If you’re a contractor for a federal agency and your organization is processing CUI, you may be contractually obligated by the agency to implement the requirements recommended in SP 800-171. To be clear, these security requirements would apply to the components of your environment that process, store, or transmit CUI or that provide security protection for such components.
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The purpose of FedRAMP is to:
- Ensure that cloud applications and services used by government agencies have sufficient safeguards
- Enable efficient and cost-effective procurement of information systems/services
- Eliminate duplication of effort and risk management costs across government agencies
What organizations need to be FedRAMP compliant?
If your company provides cloud computing services or software-as-a-service (SaaS) applications and you are interested in having a U.S. government agency as a customer, you must be able to demonstrate that your system is FedRAMP compliant. In fact, standardized language for FedRAMP requirements is included in every federal government contract. Meaning, any organization that could be affected by the Civil Cyber-Fraud Initiative should already be FedRAMP authorized (or at least working towards becoming authorized).
Use Hyperproof for Continuous Cybersecurity Compliance
If you want to avoid potential negative financial and reputational effects of the Civil Cyber-Fraud Initiative, proactive and continuous compliance work is necessary. Lean on a comprehensive compliance operations platform, like Hyperproof, to help you with the following:
- Standing up complex compliance frameworks including FedRAMP, NIST SP 800-171, NIST SP 800-53 and CMMC
- Tracking and reporting on cybersecurity practices or protocols
- Tracking risk assessment results and putting risk remediation plans into action in order to maintain accountability
Protect your organization with Hyperproof—sign up for a demo today.