GovCon Alert: Failure to Comply with DFARS 252.204-7012 (or Any Material Clause in Your Contracts) Could be Considered False Claims Act Fraud, Exposing You to Treble (3x) Damages
By Joe Kirkwood
In recent years, a theory of liability under the False Claims Act (FCA) has developed in the courts that greatly raises the risk profile of FAR and DFARS noncompliance. Where normally failure to comply with a FAR or DFARS clause would be seen as a breach of contract entitling the government to fairly proportional remedies, this new theory brings noncompliance into the realm of the FCA, which incentivizes whistleblowing and carries the potential for treble (3x) damages. A recent example described below illustrates that fact.
The Implied Certification Theory
The implied certification theory holds that when a contractor submits an invoice to the government pursuant to a government contract, it is certifying that it complied with all laws and contract clauses when that work.
The theory only applies to material noncompliance, that is, where the contractor’s lack of compliance would have been material to the government’s decision to pay that invoice.
In short, if there was a material compliance issue during the period of a given invoice, the government considers the submission of that invoice to have been a false statement against the government made to induce the payment of money or property under the FCA.
DOJ Decision to Intervene in Georgia Tech Litigation
In late August, the U.S. Department of Justice (DOJ) decided to intervene and take part in FCA litigation against the Georgia Institute of Technology (Georgia Tech), originally filed qui tam by two Georgia Tech employees. The FCA empowers individuals to file claims on behalf of the government, qui tam, in exchange for a sizeable portion of the eventual award amount. An intervention by DOJ indicates that the government believes it can win the case based on the underlying facts and law of the original complaint.
The DOJ complaint alleges that the university failed to implement contractual cybersecurity controls required by DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which was an included clause in contracts with the U.S. Air Force and the Defense Advanced Research Projects Agency (DARPA).
Specifically, Georgia Tech is alleged to have failed to: (a) develop, document and update system security plans and NIST SP 800-171 security controls (as required by DFARS -7012); (b) run required antivirus and incident detection software; and (c) establish or implement plans of action or deadlines for security controls that has not yet been implemented (as required when some NIST SP 800-171 controls have not been implemented).
Additionally, the complaint alleges that the university knowingly submitted a summary, university-wide assessment cybersecurity score of its information systems (to claim compliance with DFARS 252.204-7019, NIST SP 800-171 DoD Assessment Requirements), instead of a score for the relevant research lab itself, with the intent of inducing the government to award and/or retain contracts. This is especially egregious given there is no campuswide IT system at the university.
Importantly, no security breach actually occurred. But nevertheless, substantial liability is on the table for the contractor. This should cause contractors who work under DFARS 252.204-7012 to pause and consider whether their analysis of DFARS -7012 compliance should continue to be one of risk analysis and following the herd, or whether they should institute efforts to comply with the letter of the clause and associated security controls.
The example above is not a pure illustration of the implied certification theory, because DOJ alleges there was a misleading submission made outside of the mere submission of an invoice. However, the fact that DOJ is willing to push forward with a FCA action in this case suggests strong support that the theory, which has been ratified in other contexts, will continue to be used against contractors that do not comply with DFARS -7012 or any other material FAR or DFARS clause.