Last month, the Federal Acquisition Regulatory Council proposed new cybersecurity and incident reporting regulations for federal contractors on behalf of the Department of Defense (DoD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA).
The proposed regulations include data incident reporting requirements the government explicitly designated as material to government contractors – meaning a failure to follow the reporting requirements could be grounds for False Claims Act liability.
Under the proposed rule, contractors would be required to create a “software bill of materials (SBOM)” for the software they use. Contractors would also be required to grant access to and cooperate with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ) for purposes of threat hunting and incident response. Additionally, contractors would be required to “immediately and thoroughly investigate all indicators that a security incident may have occurred and submit information using the CISA incident reporting portal within eight hours of discovery … [and to] update the submission every 72 hours thereafter until the Contractor, the agency, and/or any investigating agencies have completed all eradication or remediation activities.”
Reporting Data Incidents Is Not a Novel Requirement for Federal Contractors
- The Defense Federal Acquisition Regulation Supplement (DFARS) requires reporting within 72 hours of discovering a cybersecurity incident compromising DoD-controlled unclassified information.
- The Homeland Security Acquisition Regulation (HSAR) requires reporting of any cybersecurity incident that could affect controlled unclassified information within eight hours or within an hour if it involves personally identifiable information (PII).
- The National Industrial Security Program Operating Manual (NISPOM) requires prompt notification of cyber incidents involving classified information.
- The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require entities operating within one of the 16 critical infrastructure sectors to report the incident to the appropriate agency within 72 hours after it reasonably believes a cyber incident has occurred.
Proposed Regulation Increases False Claims Act Risk
What is notable about the Federal Acquisition Regulatory Council’s newly proposed regulation is that it is expressly intended to “underscore that compliance with information-sharing and incident-reporting requirements are material to eligibility and payment under Government contracts.”
Materiality is an often-litigated element in False Claims Act cases, requiring proof that a contractor’s noncompliance with a regulation or contract provision is “material” to the government’s decision to pay for a good or service. The proposed regulation would seek to make explicit that a failure to report a cyber incident is a material condition of payment. As the Supreme Court held in Universal Health Services, Inc. v. U.S. ex rel. Escobar, the government’s decision to identify a requirement as material to payment is relevant to, though not dispositive of, materiality under the False Claims Act.
As we’ve written about previously, DOJ launched its Civil Cyber-Fraud Initiative to leverage the False Claims Act to hold entities accountable when it believes they have “put US information systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.” By expressly designating the incident-reporting requirements as material to payment, the government is signaling its view that a violation of these requirements would be material and thus grounds for imposing False Claims Act liability.
Takeaways for Federal Contractors
Whether courts will agree that satisfying each requirement of the proposed regulation is actually material to the government’s payment decision remains to be seen, but federal contractors should take note that this is yet another sign that the federal government considers cybersecurity and incident reporting to be a high priority.
Federal contractors should have incident response plans in place identifying the procedures to follow if a cyber incident occurs and the individuals responsible for each task. Notifying the appropriate agency and CISA within the reporting window should be added to the response plan, as failure to do so could potentially result in False Claims Act liability.
Comments on the proposed rule are due December 4, 2023, and we will continue to monitor the rule-making process and publish updates as they become available. If you have any questions about the proposed rule or cyber incident response plans, please contact the author.