The False Claims Act

Cole French:

Waste, fraud and abuse, these three words used together often describe the misappropriation of government resources we hear the most often in major headline-making stories, but as we’ll break down on today’s episode, efforts to eliminate waste, fraud and abuse are much broader and far-reaching the most realized with real ramifications for organizations. Welcome to the Cyber Compliance and Beyond Podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward. If you ask anyone whether they believe waste, fraud and abuse abounds within the federal government, they’ll almost certainly say yes.

Equally abounding our efforts to eliminate waste, fraud, and abuse. This has become more and more prevalent over the last 40 years as the government has shifted toward outsourcing more work to contractors. There are many tools at the government’s disposal for combating waste, fraud, and abuse. One of the primary tools is the False Claims Act passed in 1986. The False Claims Act has been used in many different types of enforcement actions. In 2021, however, the Department of Justice began the Civil Cyber Fraud Initiative. This initiative utilizes the False Claims Act to pursue cybersecurity-related fraud. A unique aspect of the False Claims Act is its whistleblower provision, which provides incentives and protections for whistleblowers. Additionally, by emphasizing whistleblowers, the government is broadening its ability to identify cybersecurity-related fraud. In today’s episode, we’ll break down the False Claims Act, how it is used, identify a use case and discuss strategies organizations can use to help mitigate the risk of a False Claims Act action.

Joining me on today’s episode is Michael Gruden, a partner at Crowell & Moring. Michael is a former Pentagon information technology acquisition branch chief and cybersecurity lawyer who helps companies navigate privacy, cybersecurity and contract compliance requirements. Drawing from his nearly 15 years at the US Department of Defense and US Department of Homeland Security, Michael represents some of the nation’s largest defense contractors and tech companies and complying with data security requirements and responding to cyber incidents. Michael sits on the appeals board for the CMMC Framework Accreditation Body, where he is also a registered practitioner. He’s a certified information privacy professional with a US government concentration and chairs the ABA Science and Technology Section’s Homeland Security Committee. We hope you enjoyed this episode. Michael, thank you for taking some time to join us today on the Cyber Compliance and Beyond Podcast to talk about a really relevant topic in the world of cybersecurity right now, and that is the False Claims Act. So if you could go ahead and just get us started with what is the False Claims Act, and most importantly, how does it apply to cyber?

Michael Gruden:

Thanks, Cole. Really great to be here and great to be with all of you. I think that this is really a relevant topic to discuss today and to understand the False Claims Act and how it’s being used to enforce contractors non-compliance with cybersecurity. Essentially, the False Claims Act is a regulation and a tool that’s been around since 1986 that’s been used by the government as really their primary enforcement mechanism for combating against fraud, waste, and abuse of contractors. As I mentioned, it’s been around since 1986 and every year the government recovers around 3 to billion annually recently with regards to enforcement actions, settlements and other penalties that they’ve levied against contractors for various instances of non-compliance with various contract terms or provisions. More recently though, in 2021, the government released the Civil Cyber Fraud Initiative and that was focused on civil enforcement against government contractors that failed to follow cybersecurity contract requirements.

And since that time, we’ve seen a rampant uptick in again, these settlements with regards to companies where the government has alleged non-compliance. Something that’s unique about the False Claims Act too is that there’s a whistleblower provision also referred to as a qui tam provision, and really the DOJ incentivizes whistleblowers, and even at the time, Lisa Monaco, who was the Deputy Attorney General when the Civil Cyber Fraud Initiative was announced, stated that they expected whistleblowers to play a significant role in bringing to light knowing failures and misconduct in the cyber arena.

And so again, that’s primarily how we’ve seen a lot of these activities come forth in terms of investigations and discovery from the DOJ where through internal parties at companies, they’re actually becoming whistleblowers. And so I think that that’s something that companies should be aware of with regards to their cyber non-compliance or even as they’re sort of evolving and growing into their cyber maturity to really be mindful of the employees that you’re working with to making sure that you’re hearing concerns, that you have a methodical and documented path to remediation and to hardening your network and your compliance because all of these things collectively really matter.

And we’ve seen how the government has really zeroed in on companies where they’ve not taken concern seriously. And again, where there’s not been a methodical progression to complying with these regulations, and even more importantly than all of those two factors being unclear and inaccurate about your current cyber posture. Again, everyone wants to always presume the best and put forth their best self forward, but again, I think that that is really where companies have really erred and went in the wrong direction. That’s where, again, the government’s saying, “Hey, you said you were meeting all these requirements here, but clearly from these other external assessments or from these other audits, we found that there’s a disconnect of how you told us you were doing to an actuality what was currently being done at that time.” The government is not favorable and is not in any way giving companies any leeway in those areas if there’s any ambiguity.

Cole French:

So when it comes to the whistleblower components, is the whistleblower limited to an individual within that particular organization or could it really be anyone?

Michael Gruden:

Really could be anyone. And the way that that works is again, a whistleblower can bring forth the complaint to the DOJ and then the DOJ has the option to determine whether they want to intervene or not. And so if they do, then they would sort of take forth further action. And then if not that whistleblower can determine whether or not that they want to continue to progress with the actual case on their own. But oftentimes the government will intervene and then that’s again where there’s a lot more heat, if you will, and that’s not a legal term, but again, that’s where we’re seeing a lot more activity. And that’s where, again, kind of the apex of VUL and a lot of these enforcement actions.

Cole French:

Interesting. I think a lot of people think of enforcement actions. You think of somebody coming in and doing an investigation or collecting a bunch of information, things like that, an external party being alerted to something and doing an investigation, but in this case, it can come from within your own organization. So to highlight what you were saying, yeah, it is really important that you’re honest and upfront about what you’re doing from a cyber perspective because the people in your own organization have a means to hold you accountable. So the False Claims Act you mentioned earlier, is a means to enforce waste, fraud and abuse as it relates to contractors, government contractors. So I assume the Civil Cyber Initiative was obviously geared towards enforcing waste, fraud and abuse when it comes to cyber, but I assume the False Claims Act still has its original applicability as well. It’s still a tool that the government can use in other contexts as well.

Michael Gruden:

Oh, absolutely. Yeah. We see just a prevalence of activity, not just on cybersecurity, but in many other areas where we have government contracting activity. I think we see that in the area of cost accounting where again, if there’s certain cost accounting requirements and that companies have not met those, we’ve seen enforcement actions with regards to that. We’ve seen the same with regards to small business sort of size status and things of that. And so again, really up and down kind of the government contract compliance spectrum, we see activity in this space. So it’s really not exclusive by any means to cybersecurity, but we have seen just a significant amount of cases, more than I think I would’ve expected back in ’21 when this was announced. And we actually began various clients that were receiving civil investigatory demands, a CID from the government, again, requesting discovery with regards to various investigations where they were determining whether or not to bring forth an actual case.

And some of these, again, have proliferated for multiple years in terms of discovery, various presentations back and forth between the government and client in terms of the positions, and then determining if settlement is up on the table or not. But again, these actions, again, can span multi-years in terms of unpacking them, really zeroing in and honing in on the merits of the case. And I think one thing that I would note too is that even through our experiences, I think that cybersecurity in and of itself is complex, right? And I don’t have to tell that to you that there’s a lot of nuance. It’s highly technical. And again, even being a cyber attorney myself, and having worked in the government for a long time in government acquisitions and specifically in tech contracting at the Pentagon where I was an IT acquisition branch chief, I’m a bit more conversant than most attorneys.

But the one thing I’ve sort of cautioned a lot of companies about is that some will ask, “Well, what is our risk with this and how far can we get to the line, if you will, without risking enforcement or risking some type of government inquiry or audit or investigation?” And the thing I always tell them is that I feel like cybersecurity more than almost any other sector, I feel like is often lost in the court of law. And I can speak of that from firsthand experience where we’ve represented clients where again, conducting parallel investigations and preparation for these types of enforcement actions from the DOJ where we’re adamantly confident that the company was fully meeting various aspects of their technical requirements.

But that again, through litigation and it sort of just gets lost in translation. And that can be the biggest challenge and one of the most frustrating aspects of this that again, when you’re kind of evaluating the risks, one of the risks is that again, that the other party or that the judicial brands won’t fully understand some of the technical nuances where you actually may be meeting them. But again, there could be sort of, again, some ambiguity there that they might just get misunderstood.

Cole French:

I think that’s a great point because in the world of compliance specifically, but even in the world of just IT more broadly, it is very easy for things to get lost in translation. So I can see when you present information, and I mean you’re talking about potential enforcement actions, and I think that takes your case, so to speak, to an even broader, more varied audience, which I think would increase the likelihood that things could get lost in translation. I mean, we deal with all the time just within compliance in the space that I sit, we deal with different interpretations all the time, and I’m sure as an attorney, same thing is true for you, but we spend a lot of time going back and forth about how to interpret different things. So I can only imagine in these enforcement actions that information that is presented can often be lost in translation. That makes a lot of sense to me. So as we talk about relevance to compliance, going back to that, is a whistleblower the only sort of enforcement action or can an enforcement action be initiated by someone else?

Michael Gruden:

So absolutely, whistleblowers are not the only ways that actions are brought forth under the False Claims Act. Again, these can occur initially from the government themselves. As you know, there’s various different audit mechanisms that the government themselves holds where again, they have the ability and the authority to come on site even through various contract clauses that exist now. For instance, the DFARS 252.204-7020 with regards to compliance with the NIST basic self-assessment requirements and sort of meeting the supplier performance risk system requirements of conducting those assessments. Under that same clause, it avails the government the right to come on site and conduct high audits through DIBCAC, the Defense Industrial-Based Cybersecurity Assessment Center. That’s one mechanism. Again, another way that we’ve seen activity through is actually follow-ons to cyber incidents.

When incidents are reported to the government, again under the DFARS-7012 clause, 252.204-7020, the government also has the right to conduct further follow-on efforts with regards to an incident. And at times, sometimes it piques curiosity with regards to a company’s implementation or adherence to cyber requirements. And from there, from those various gaps, we have seen the government focus in on that. And there are various other investigatory arms of the government that also will sometimes receive internal complaints or external complaints, and then they can sort of move out from those as well and conduct investigations. And then from there, they may engage the DOJ who then may intervene and again, bring forth again, a False Claims Act suit.

Cole French:

Interesting. So a DIBCAC-high assessment could actually initiate a False Claims Act inquiry.

Michael Gruden:

They wouldn’t necessarily initiate it, but again, they could sort of like, “Hey, there’s something here.” And then through broader coordination with the government, the DOJ would then sort of from there sort of take things.

Cole French:

So we’ve talked a lot about obviously the False Claims Act here in this conversation, and at a high level what the risks are and what’s important, what organizations need to be thinking about. But why don’t you go into a little bit more detail on, or give a couple of examples of what organizations could be looking for based on, I guess you could call it precedent, right? Cases that we’ve seen, enforcement actions that we’ve seen. What are the things that the government is honing in on and really going after or targeting?

Michael Gruden:

Sure. I think there’s been a recent case that’s quite illustrative in a useful way that it really captures on a lot of the core areas that we were talking about that the government really is looking for compliance both in cloud security and your baseline security requirements from at 171 as well as that, again, those other written documentation requirements. And again, one leading case that I think comes to mind is MORSE Corp. That was a case that was settled and announced back in March of this year. And interestingly enough that that was also initiated through a key TAM provision, meaning that again, the company’s head of security in their facility security officer brought forth this original complaint and then the DOJ intervened in it. But I think something that’s interesting here is again, there’s sort of three core points that I guess that were brought up in the settlement.

The first was, again, that MORSE Corp was not using a compliant cloud service provider to process store transmit their CUI. As I’m sure you’re familiar with, Cole, again, there’s these underlying requirements under the DFARS 7012 clause if you have CUI, and it’s not on your local network, but if it’s an extension of your network through a cloud platform, it needs to meet that. And again, this is something that some companies don’t have a full, I guess you say command of or understanding that, again, if you have that on your network, that’s great. It needs to meet NIST unit at 171. But anytime you’re using that external solution and your CUI is flowing out to it, again, if you’re not meeting it there, that’s again ripe for again enforcement and you’re really creating a lot of risk. And so again, that was the first area that the government really zeroed in on and brought forth sort of as an area of non-compliance.

The second is that just sort of fundamentally they found that the company didn’t fully implement the 110 controls from NIST unit at 171, but more critically, they found that they didn’t have actual written documentation to substantiate how they actually implemented all of the controls. And I think we’ve seen that for a lot of companies where they’re sort of first coming into compliance and sort of saying, “Well, we think we comply,” and then they’re sort of showing us what they have. But again, there isn’t a complete SSP. There is not a complete narrative per control. But even more importantly, what we see increasingly, a company might have a good narrative, but you in no way define your boundary, right? And they’re not creating network topology that describes the flow, but also the boundary where that data is limited and confined to. And again, that’s exactly here too.

What the government identified was that there was no description of system boundaries and therefore there was sort of no way to actually even prove that the company was compliant with it. For that reason. That was sort of another area that they were saying, “Hey, you’re not really meeting the standards here that are at play.” And lastly, the other thing that I think is interesting too, we’ve talked about these SPRS scores. Again, the supplier performance risk system sort of requirement, which again is if you again have CUI in your network and you have these clauses like 7012, but here more importantly the 7020 clause, you have to conduct a basic self-assessment utilizing the DOD’s NIST basic self-assessment methodology. And so again, they found that again, they failed to update their score, that there was again, a deviation where again, they had reported them a significantly higher score than what was actually accurate.

And again, this specific use case is what we’ve seen many times over the last several years is we’re helping conduct, in many instances, privileged assessments for companies to help them determine where they are in their cyber journey. We’ll find that again, initially they put themselves really high, maybe even up at a perfect score of 110, where in actuality they might be somewhere way lower down in the 50s, the 30s, or even in the negatives until they actually fully implement solutions, until they fully remediate and draft out refined and accurate policies that then help substantiate these other underlying controls. But I will take that back to when I was mentioning privilege assessments and the importance of that. Exactly these reasons are why a lot of companies are electing to have these privileged cyber security assessments because again, a lot of the discovery that occurs during these cyber FCA cases are all sort of foundational upon unprivileged cyber security assessments.

And again, we’ve seen through many of the cases that we’ve litigated that again, through that discovery, the government is obtaining again, unprivileged cyber assessments and they’re finding, again, all of those gaps that were identified. And again, they’ll look at those and they’ll look at the time and say, “You knew three years ago that you, as an example, did not have access controls in place. You knew that your firewalls were not properly configured, that your network boundaries were not defined yet you said that you fully met all of those, but here we have an external third party that validated that and you had that knowledge yet you did not change anything.”

And again, those disconnects are again, where the government is finding, again, that evidence that’s sort of proving that companies are not complying. And so again, a lot of companies are now, as are working through their compliance journey, see the value of having an attorney client privileged writing this assessment such that, again, through the conducting of these audits and assessments that we’re doing as an external law firm for the furtherance of legal services where we conduct them either ourselves or if we partner with a third party external organization like Kratos for instance, when we’re doing that again, it sort of helps insulate that so you have a little bit more of a no-fault environment where you can methodically kind of work through and remediate without risk of that being fully discovered because again, you’re insulating that through the direction of the outside counsel.

Cole French:

I want to hit on something you mentioned that I think we see also, I feel like a lot of the work we do is most of these organizations are meeting their requirements, right? From an operational standpoint, they’re like 95% there we’ll say, or maybe 90%, but they’re there, they have what’s necessary, they have everything is there. It’s the storytelling, right? We say with CMMC in particular, much different I think than a lot of other frameworks. You got to tell the story. You got to be able to tell the story. And it isn’t just to tell the story, but you got to be able to tell the story because you got to have so much more than just, “Hey, I have a tool that does this.” It is much more documentation oriented, process oriented, boundary definition, data flows, all the stuff you mentioned. I just wanted to highlight that is something we see regularly, and it’s tough as an assessor to walk into an environment and work with the customer and you’re like, “I know they’re doing this stuff, but they can’t tell me how they’re doing it.

They can’t explain it. They don’t have any documentation to back it up.” And one thing we say with that is, and you kind of alluded to it, is I can’t really evaluate something that you don’t give me if you don’t give me documentation, or you can’t explain these things, or you don’t give me even a boundary, I don’t have something to evaluate what you give me even against. So I can’t even really make an informed decision. So the government obviously is going to see issues and problems with that. As far as what you just mentioned, the attorney-client privilege element, so would you say that’s a mitigation strategy from the standpoint of an organization sort of hedging their risk against a False Claims Act?

Michael Gruden:

I would say it’s a risk mitigation tool, right? I mean, it’s obviously not fully insulating you from non-compliance or any type of enforcement, but again, the working, I would say theory or belief that many uphold is that again, if there was sort of a discovery request or discovery demand that again, the response would be that again, through the furtherance of legal services, that again, the guidance that was provided by outside counsel and or the direction of another third party for their furtherance of those legal services, that again, that all would be protected under attorney-client privilege and therefore would be undiscoverable.

Cole French:

Are there any other mitigation strategies that you would advise for organizations? Or is that the first and foremost?

Michael Gruden:

Definitely not the only. I think it’s something to consider. I mean, I think foundationally, I think a lot of these are the same things that you would likely recommend to your companies too. But really again, it starts with just knowing your regulated data, knowing your contracts, and understanding what’s required within them. I mean, you’d be surprised that, again, many companies will have a handful of contracts but not really understand what’s specifically required within them. And I’ll mention too, everyone knows about now, I think the default safeguarding clause, everyone knows about CMMC, but again, your contracts can include other and additional or even enhanced security requirements. And we see those quite frequently where again, there can be data localization requirements, there can be enhancements to the suite of cyber standards and this integer at 171 where you’re required to do above and beyond or more than what’s required there.

And if you’re not sort of reading your contracts, you don’t know and you don’t really know how to follow those. And so that’s why it’s really critical to implement an internal cyber compliance program and have a lead person that’s responsible for managing that. If it’s either on the technical side, someone that’s leading that out of the office of the CIO. But oftentimes I think we found it really valuable to have a legal contact too that is liaising all this as well in conjunction with contracts because again, it really is kind a nexus between those various responsibilities. And if one is operating independently, that’s where we sometimes see things go off the rails, where again, one might be thinking that they’re putting forth a good faith effort and doing the best thing, but there might be a misinterpretation of the requirements. And that’s exactly where we’re seeing a lot of these issues come to head here.

I think something else, I think we would just flag to just be ensuring that, again, the accuracy of your documentation and also anytime you’re making a representation or certification to the government, that it is accurate and complete. And what I mean by that is, again, if you’re conducting a basic self-assessment to upload your score in SPRS, or now that we have the CMMC clause final rule here in the next couple months, companies will likely need to start in some instances, conducting self-assessments against CMMC. In the same vein, ensuring that you have an accurate interpretation of the security controls that are required, such that, again, when you’re attesting that you’re meeting them, that you’re actually doing what you say that you’re doing. And it’s the way that the government would actually interpret the control and not sort of just sort of an external armchair, if you will, perspective of interpreting these security control requirements.

And the other thing too, I’d call out too, in terms of mitigating risk as we’re thinking through and looking even towards CMMC for instance, is the requirements within that too of completing affirmations. That’s really critical from, again, when we’re thinking about the False Claims Act, because again, you’re making a written attestation and this official is supposed to be binding the company of stating, “Yes, our cybersecurity compliance is accurate and fully complete.” That affirmation will be required at the time or in conjunction with your CMMC certification when it’s finalized, but also every year thereafter. And so again, this is not a one and done thing, but again, the government is stating, “We really want you to stay on top of your cyber compliance. This is sort of a lifelong journey, and every year we’re going to require you to review this, and again, to attest that it’s accurate and current and complete.”

And so again, going back to risk mitigation is again, making sure that you’re dialed in and that you’re actively monitoring the efficacy of your controls and that they continue to maintain throughout their life cycle. And so what I mean by that is even after you obtain ideally your certification from CMMC that you again schedule again, likely a privileged readiness assessment several months prior to the need for your annual attestation, so that again, you have the high degree of confidence that yes, everything is in proper working order. Kind of like the same way when we think about a mechanic, right? You have to go and get your annual inspection or something before that you maybe want to go kick the tires around and pressure test, look under the hood, make sure everything’s topped off. Your wiper blades are working in the same way you want to do that with your network because the last thing you want to do is sort of get to that place of certifying again and realize that actually everything was not accurate and you don’t want that to sort of come up later in the court of law.

Cole French:

Yeah, I think those are great mitigation strategies and as we bring things to a close, I just want to hit on what you just described and something we’ve talked about a lot is risk, right? Identifying risk. So much of cybersecurity is really the root of it is beyond even really cyber. It is just a piece of really articulating the risks within your organization and then taking the appropriate actions and really something we talk about a lot too, what you just said, readiness assessments really. I know a lot of organizations are averse to the cost of things like that, but I think what we’ve talked about today really hits home that the cost of non-compliance can be much, much greater than the cost of having a third party come in every year, do a readiness assessment, not just do the, “Hey, check the box and sign the affirmation,” but actually come in, do a readiness assessment, identify really where we are, so that way what we’re attesting and affirming is accurate and defensible.

Michael Gruden:

Completely agree. Yeah, I mean, I think it’s, would you rather invest some money upfront and ensure that everything is in good working order, that you can continue to operate your contracting business and your contracting opportunities, or do you want to go down the route of multi-years of discovery and all of the fun that comes with that, and then landing potentially with settlements up in the tens of millions of dollars, and not even just the settlements are what matters, but also the reputational harm. Again, having to potentially list that on future proposals that are being submitted to the government or even potentially being suspended or disbarred from future contract opportunities. The government’s taking non-compliance seriously, and so again, it’s sort of no longer, again, a try your best kind of arena. It really is. You have to do your best and you have to do what the government wants. And so the best way to ensure that is to, again, to align with external third parties that can help you validate that so that again, you have a confidence that, again, you can utilize this as sort of maintaining your stature in the marketplace.

Cole French:

Well, Michael, I really appreciate you taking the time to come on the Cyber Compliance and Beyond Podcast today. I think our listeners will find this to be a really beneficial episode, particularly that last section there on mitigation strategies. I think there was some really great insight there, and I just really appreciate you taking the time to share that with us today.

Michael Gruden:

Really enjoyed the discussion. Thanks for having me.

Cole French:

Thank you for joining us on the Cyber Compliance and Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter at Kratos Defense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode. And until then, keep building security into the fabric of what you do.