The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program and newly issued cybersecurity rule present contractors with a range of compliance issues as they prepare for expanded third-party and DoD assessments of their information systems that will be a condition of eligibility for nearly all defense contracts.
Among these issues is how to manage disputes and litigation related to DoD’s assessment and verification regime, as well as risks of False Claims Act (FCA) liability. DoD’s interim rule to implement CMMC released on September 30, 2020 confirms that the non-governmental CMMC Accreditation Body (CMMC-AB) will adjudicate assessment-related disputes, but details are pending. Key questions remain about how disagreements related to DoD’s cybersecurity assessment regime will be resolved, what remedies will exist, and what procedures will be available at different stages. There is also uncertainty about the roles of courts and the Government Accountability Office (GAO) given CMMC’s reliance on nongovernmental entities and third-party verification.
This article focuses on three areas companies should consider as they prepare for DoD’s program, which it plans to gradually implement over the next five years:
- Disputes related to third-party assessments and certifications;
- The impact of CMMC on source selection decisions and bid protests; and
- Emerging risks of qui tam FCA suits related to cybersecurity non-compliance.
DoD’s Emerging Assessment Regime
Intended to protect the defense supply chain, CMMC provides a unified framework for safeguarding Controlled Unclassified Information in the Defense Industrial Base. Version 1.02 of CMMC consists of 171 practices and five processes organized into 17 domains and mapped across five levels of “maturity” ranging from Basic Cyber Hygiene (Level 1) to Advanced/Progressive (Level 5).
In its interim rule, DoD adopts regulatory changes to the Defense Federal Acquisition Regulation Supplement (DFARS) intended to roll out CMMC incrementally until October 2025, at which point CMMC will be required for all non-commercial off-the-shelf defense solicitations and contracts above the micropurchase threshold. The interim rule takes effect November 30, 2020 subject to becoming final later after receipt of comments.
Accredited assessors employed by non-governmental Third- Party Assessment Organizations (C3PAOs) selected by the CMMC-AB will be responsible for assessing some 200,000 contractors’ compliance and issuing certifications of compliance with one of the five CMMC levels. Companies subject to CMMC will need to be certified by the time of DoD’s award.
The interim rule also adopts a separate track of assessments for companies whose contracts include the standard cybersecurity clause in DFARS 252.704-7012. That clause requires contractors that store, possess, or transmit so-called Covered Defense Information (CDI) to provide “adequate security” on their systems by, at a minimum, adopting the controls issued by the National Institute of Standards and Technology (SP 800-171), and to report cyber incidents post-award should they occur. Under the interim rule, companies subject to NIST SP 800-171 and DFARS 252.204-7012 will have to undergo assessments using a “NIST SP 800-171 DoD Assessment Methodology.” At a minimum, such companies will need to perform a Basic Assessment, which is a self-assessment performed by the contractor indicating the extent of its compliance with NIST SP 800-171. DoD also has discretion to perform Medium or High Assessments, which the Department expects to be conducted on a “finite” number of contractors annually.
Potential Dispute Areas Several factors highlight the importance for companies to adopt strategies and processes to manage disputes and mitigate litigation risks related to CMMC and NIST SP 800-171 assessments.
• The cybersecurity legal regime is changeable, as is the nature of the threat. DoD components may supplement CMMC and NIST SP 800-171 with their own cybersecurity requirements. This state of flux makes disagreements more likely.
• The program presents high stakes for industry. Because CMMC and Basic Assessments of NIST SP 800-171 compliance will be a “Go/No Go” criterion in source selection, contractors will be motivated to protect their interests.
• CMMC imposes new obligations on primes and their suppliers. As primes perform diligence on their vendors related to CMMC, disputes can arise both between primes and subs and potentially with C3PAOs and the CMMC-AB.
• Cybersecurity requirements provide fruitful territory for qui tam litigation under the FCA, heightening the risks of violations.
These issues bear upon CMMC’s implementation. In the report on its version of the FY 2021 National Defense Authorization Act (S. Rep. 116-236), the Senate Armed Services Committee directs DoD to brief the committee annually on CMMC, including on the status “of mechanisms within the [DoD’s] CMMC framework for fraud prevention, bid protest, and dispute resolution[.]”
Assessment and Certification Disputes
DoD’s interim rule indicates that the CMMC-AB will be responsible for resolving assessment-related disputes, but there are few details. Contractors will be able to bring assessment-related challenges before the CMMC-AB “related to claimed errors, malfeasance, or ethical lapses” by a C3PAO, and then seek further review before the CMMC-AB if the contractor “does not accept” the CMMC-AB’s preliminary finding. The CMMC-AB’s website defines “dispute” to mean a “formal process managed by the CMMC-AB” through which an assessor and an organization seeking certification “can seek resolution of a disagreement” over assessment results. A “Dispute Adjudicator” is a CMMC-AB employee “who is responsible for reviewing and resolving a Dispute.” But many questions remain, such as what procedures will be used, what standards will apply, and how long appeals will take.
CMMC’s reliance on non-governmental entities raises legal issues. The Contract Disputes Act and the Disputes clause, FAR 52.233-1, apply to claims against the government. The U.S. Court of Federal Claims and the Armed Services Board of Contract Appeals lack jurisdiction over disputes between private parties, and the Court and GAO can only review bid protests that challenge an agency’s procurement-related decisions. The extent to which actions and decisions made by C3PAOs and the CMMC-AB may be challenged is thus uncertain. Litigation in federal district court is conceivable. Having DoD engage in the resolution of CMMC certification disputes in at least some circumstances could provide for better predictability and accountability but would bring about its own set of issues. It is also reasonable to expect that DoD-performed assessments of contractors’ implementation of NIST SP 800-171’s controls will result in disputes. Under DoD’s interim rule, contractors will have an opportunity for “rebuttal and adjudication” of their assessment scores. Again, many questions remain. For now, it appears that dissatisfied contractors will have a strong incentive to explore all available legal options.
Source Selection and Bid Protests
CMMC may also give rise to bid protests related to agency source selections. It is unclear what criteria agencies will use to determine CMMC levels for primes and lower tiers. A lack of uniform practice across DoD could generate allegations of arbitrary and capricious decision-making, especially to the extent that agencies err on the side of requiring higher CMMC levels.
A protest of an agency’s choice of CMMC level would have to overcome case law giving agencies deference when defining their requirements. In its recent protest of DoD’s JEDI procurement for cloud services, Oracle argued that certain “gate” solicitation requirements—including that offerors be “FedRAMP Moderate” authorized—were unduly restrictive of full and open competition and impermissible “qualification” requirements. But on September 2, 2020, the U.S. Court of Appeals for the Federal Circuit rejected those arguments, explaining that it was “hesitant” to “override the agency’s judgment as to its needs” for security. Oracle Am., Inc. v. United States, Fed. Cir. 19-2326. Allegations of Organizational Conflicts of Interest (OCIs) may also arise. For example, firms that offer consulting services regarding CMMC that also bid on contracts may acquire access to non-public, proprietary information about other companies. Disappointed offerors may seize on these new types of relationships to challenge awards.
False Claims Act
Another risk area is the FCA, which provides for treble damages and penalties when a person knowingly submits, or causes to be submitted, a false or fraudulent claim to the United States. Under the case law recognizing an implied false certification theory, liability arises when a company not only requests payment from the government but also makes specific representations about its goods or services while failing to disclose non-compliance with material statutory, regulatory, or contractual requirements.
CMMC’s third-party verification could reduce FCA exposure based on cybersecurity violations. But compliance is an ongoing responsibility. Obtaining CMMC certification will not protect a company from a qui tam lawsuit if it recklessly disregards its cybersecurity obligations or falsely validates its or a subcontractor’s compliance. Apart from CMMC, DoD’s new requirement that contractors report to DoD their self-assessed scores reflecting the extent of their implementation of NIST SP 800-171’s controls will also present FCA risks. Inaccurate or unsubstantiated scores could result in alleged FCA violations. Key questions in future cases include how courts will address the issue of falsity involving cybersecurity controls, as well as the requirement that the alleged non-compliance must be material to the government’s payment decision.
In May 2019, the district court in Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 (E.D. Cal. 2019) declined to dismiss allegations that a contractor fraudulently entered into contracts with DoD and NASA despite knowing non-compliance with cybersecurity controls. The court held that the whistleblower sufficiently pled “materiality” because the alleged violations “could have affected” the company’s ability to handle technical information related to its contract. Will courts handling future qui tam cases based on cybersecurity treat all CMMC controls as equally material? Or will they take a narrower approach?
Final Thoughts
An effective approach to managing disputes and FCA risks is an important aspect of CMMC’s implementation. Companies can benefit from considering these issues at an early stage of the program. Companies may wish to include language in their teaming agreements with partners related to CMMC and NIST SP 800-171 assessments and, to the extent possible, seek to negotiate clear disputes settlement clauses in contracts with assessors and vendors. Documenting ongoing compliance with cybersecurity requirements and ensuring mechanisms exist to respond to allegations of non-compliance can help mitigate FCA risks.
Click here for a PDF of this article.
This article was published in the Fall 2020 edition of PSC's Service Contractor Magazine.