The Serious Business of DFARS Compliance
A California U.S. district court ruled last week that allegations against Aerojet Rocketdyne could progress following Brian Markus’ complaint that the company terminated his employment after he repeatedly attempted to disclose cybersecurity failures to the company’s board of directors and refused to sign documents indicating that the company was compliant. While at Aerojet, Markus’ role was that of senior director of cybersecurity and responsible for ensuring Aerojet was complying with federal government regulations. The complaint goes on to allege that an Aerojet officer directly prevented him from revealing Aerojet’s cybersecurity vulnerabilities to the Board.
The assertion is a charge that the company violated the False Claims Act by falsely representing its level of compliance with pertinent cybersecurity standards so it could appear eligible for certain federal government contract awards. This misrepresentation was not fully disclosing the extent of their noncompliance with findings and recommendations related to third party penetration testing results, but also indirect communications with the Federal Government by overreporting the extent to which it had the required equipment in place and implemented security controls. According to the complaint, Aerojet allegedly complied with less than 30% of the standards.
Even though the Government thought that it would “be a relatively simple matter for the contractor to become compliant,” the court found it central that Aerojet persisted in limited compliance with protection measures and the fact that the company cherry-picked what data it chose to report to the government. Additionally, Aerojet attempted to argue that the DoD never expected full compliance because it constantly revised the regulations and guidance that attempted to ease the burdens on industry. The court disagreed, explaining that even if the Government never expected full compliance, the complaint was correct that the extent to which a company was technically compliant still matters to the Government’s decision to enter into a contract. The court also rejected an argument by Aerojet that the contracts at stake are related to missile defense and rocket technology, not cybersecurity. This again goes back to the issue of those same cybersecurity requirements not being met would/could impact the extent to which Aerojet could have not only performed the work but protected the controlled unclassified information (“CUI”). Citing the Supreme Court's decision in Escobar, the court noted that "…a partial disclosure (by Aerojet) would not relieve defendants of liability where defendants failed to 'disclose noncompliance with material statutory, regulatory, or contractual requirements.'"
The regulations at issue in the case require a contractor to implement specific controls covering various areas of cybersecurity. Since Aerojet contracted with NASA and DoD, the relevant regulations in the case are two contract clauses found in DoD and NASA federal acquisition regulations (DFARS and NASA FARS). Both clauses implement the standards for cybersecurity controls found in the National Institute of Standards and Technology Special Publication 800-171 (“NIST SP 800-171”), which concerns the protection of CUI in non-federal IT systems. CUI covers a broad range of information types, from personally identifying information, to engineering data, to computer software. The common thread running through all CUI is that while it is unclassified, it is still sensitive and should not be made public.
This case is a good reminder of the importance of clear internal reporting policies and having mechanisms in place to monitor compliance with cybersecurity requirements. When an employee, particularly an expert in cybersecurity and compliance, raises red flags, a company should conduct a thorough investigation. Limited reporting policies (or a lack thereof) may stymie opportunities to address employee concerns before an employee looks outside the company for solutions.
InfusionPoints has made it our mission to guide organizations towards compliance. To this end, we have simplified the process of NIST 800-171 via our DFARS Compliance and Assessment Services. We start with a risk-based approach that enables rapid success and provides a step-by-step approach to incrementally improve your Cybersecurity maturity and posture. InfusionPoints leverages our DFARS Gap Assessment to quickly develop a System Security Plan (SSP) and document the gaps in a Plan of Actions and Milestones (POA&M). Our team can quickly build the Cybersecurity controls into your systems, securely defend and operate your systems using our managed security services, and periodically test your new defenses to ensure their effectiveness. InfusionPoints’ DFARS Gap Assessment follows a four-step process as follows;
Establish scope and prioritize business/mission objectives and high-level priorities.
Conduct a risk assessment of your information systems to identify threats and risks.
Create a risk-informed target profile for your organization and systems.
Prioritize risks and develop a SSP and POA&M to close gaps and improve the current Cybersecurity Posture of your information systems.
Contact us today so we can help you become compliant with the Federal Government