Click Fraud Protection Federal Contractor Cybersecurity Requirements |
TZ Legal – Fraud Fighters Logo
HomeNewsCybersecurity Requirements for Government Contractors

Cybersecurity Requirements for Government Contractors

Date Published
Feb 06, 2024

Federal contractors are now legally required to uphold certain cybersecurity standards in order to be in compliance with their contracts with government agencies. In many ways, this change is a positive one, bringing more clarity and structure to the way that contractors conduct business. Ensuring compliance with cybersecurity protocols is in everyone’s best interests—preventing hacks, data breaches, and ransomware attacks saves contractors money while protecting taxpayer data and investment.

However, for contractors who do not meet these standards, severe financial penalties may be imposed. Companies that fail to meet minimum cybersecurity requirements for government contractors can now face civil prosecution under the False Claims Act. Whistleblowers who report on these violations can also recover financial rewards, as well as receive protections against retaliation from their employers.

NIST Cybersecurity and Fraud

Most companies already have cybersecurity systems in place to regulate authentication and access. However, not all systems and protocols are created equally. Contractors with the federal government are required to ensure that their company’s protocols are in alignment with the US National Institute of Standards and Technology (NIST) framework. NIST 800-171 is the currently updated framework that shows how contractors and subcontractors of federal agencies must manage Controlled Unclassified Information (CUI).

Not every element of being in compliance with NIST standards involves complex data handling policies or even increased financial investment. Data from McKinsey & Company shows that more than 70% of cyberattacks across the globe come from financially motivated individuals who deploy relatively simple techniques, such as phishing emails, in order to reach their end goals. Some elements of cybersecurity compliance for federal contractors involve rising to meet these kinds of challenges. Examples include implementing strong password controls, decommissioning old operating systems, and investing in multi-factor authentication technology.

Defense Federal Acquisition Regulation Supplement (DFARS) Compliance

NIST is designed for general non-federal organization use. The protocols are based on a cybersecurity management framework initially created for contractors working with the Department of Defense. Defense contractors often handle information with additional vulnerabilities, and may be targeted by nation-state threat actors as well as financially motivated cybercriminals. Some elements of the Defense Federal Acquisition Regulation Supplement (DFARS) compliance include having in place a:

  • Security information and event management (SIEM)
  • Comprehensive multi-factor authentication system
  • Endpoint detection response (EDR) solution
  • Vulnerability management solution

Additional Cybersecurity for Government Contractors Protocols

Depending on what area of the federal government your company contracts with, you may have additional obligations and cybersecurity duties as specified in your work agreement. Even small businesses or small-to-medium manufacturers are not exempt from enacting qualifying cybersecurity measures when contracting with the federal government. Free resources are available to ensure that your company is within compliance.

Other cybersecurity protocol examples include:

Proposed Changes to the FAR Framework

Unfortunately, many contractors do not meet compliance standards for DFARS, NIST, the Cybersecurity Maturity Model Certification program (CMMC), or other required frameworks. A recent study of 300 U.S.-based DoD contractors found that only 13% currently qualify for a Supplier Risk Performance System (SPRS) score of 70 or above. Under DFARS, a score of 110 is required for full compliance.

In order to encourage and streamline cybersecurity protocol compliance, some federal agencies such as the GSA, NASA, and DoD have proposed new standardized contract language as well as the implementation of updated reporting measures. The proposed changes also include:

  • Developing and maintaining software bills of materials (SBOMs) for all software used as part of a federal contract.
  • Individual procurement certifications as well as system certification.
  • Fuller collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) on incident response initiatives.
  • FBI and DOJ access to “applicable contractor information and information systems” in the event of a cybersecurity incident.

Penalties for Non-Compliance with Cybersecurity for Government Contractors Protocols

DFARS, NIST, FAR, CMMC and other federal cybersecurity requirements are all reasonable standards to expect from contractors entrusted with important information. When companies fail to meet them, fail to report data breaches, or falsely certify that they are in compliance, they can be held accountable through the False Claims Act ever since the announcement of the Biden Administration’s 2021 Civil Cyber Fraud Initiative.

False Claims Act liability entails treble damages per violation as well as financial penalties assessed at the rate of inflation. The False Claims Act might be utilized against a contractor if they wrongfully certify that their protocols meet NIST or DFARS requirements, fail to report hacks or other cybersecurity incidents when bidding for contracts, or otherwise do not meet minimum data protection standards with the federal government.

How to Report a Contractor for Non-Compliance

Whistleblowers who report on cybersecurity non-compliance with federal contractors can be eligible to receive part of the settlement when they report the breach via the False Claims Act. A whistleblower payment may be anywhere from 15 to 30% of the overall recovery. Speaking with a cybersecurity fraud lawyer is the best way to ensure that your claim falls under all of the requirements to receive federal whistleblower benefits and protections.

Cybersecurity fraud whistleblowers are often insiders such as contractor employees, IT professionals, or competitors in the field. Your cybersecurity fraud attorney will be able to inform you about what kinds of proof are necessary in order to build your specific claim, as well as ensure that you only share what can legally be accepted in a court of law.

Speak with a Cybersecurity Fraud Lawyer

Not every whistleblower claim is taken up by federal investigators. Because of this, working with an experienced and reputable cybersecurity fraud law firm is the best way to ensure that your cybersecurity fraud whistleblower claim receives the fullest consideration possible. In the event that your claim is ignored or rejected, our whistleblower lawyers can also bring your case to court, fighting for you to receive the highest whistleblower award percentage possible in the event of a successful recovery.

For a complimentary and confidential consultation about your cybersecurity fraud whistleblower disclosure, contact the cyber fraud attorneys at Tycko & Zavareei LLP.

How can we help you?

Confidential Case Evaluation

Our experienced qui tam attorneys are available for a confidential, no-cost, no-commitment, initial evaluation of your case. Call us now at (202) 973-0900, or begin the process by completing our Confidential Case Evaluation Form.
Start The Process