Defense contractors are or should be busy putting together self-assessments of their cybersecurity. Under the Cybersecurity Maturity Model Certification program, those self-assessments are due at the end of the month. The question is how the government will use them. For more, Federal Drive with Tom Temin turned to CMMC expert and Rogers-Joseph-O’Donnell partner Bob Metzger.
Insight by LookingGlass: Federal technology experts provide insight into how agencies are approaching cybersecurity in the new virtual climate in this exclusive executive briefing.
Tom Temin: Bob, the question that you’ve raised in a pretty widely circulated essay in the last couple of weeks is will they be baselines just to get into the door or will they be criteria for source selection evaluation? What’s your take?
Bob Metzger: Well, it’s a key question. So we know that effective December 1 solicitations are going to go out to the contractors that require them to submit a basic assessment, a self assessment of their satisfaction of the 110 cyber controls that are in NIST Special Publication 171. Now the assessment is a net assessment, you can get a maximum score of 110. But if you fail to meet requirements, then you reduce your score, not just by a single point for each control, because some of the controls are weighted. There are 5 point controls and there are 3 point controls. So if you were to miss five five point controls, well then you take a 25 point deduction from your score. Well here’s the question. We know that companies have to prepare the self assessment. And we know that they have to post it on the supplier performance risk system, a DoD database. And we know that many companies are going to submit scores that are less than that 110 perfect score. And it’s also quite likely that some of those companies will submit scores that are maybe half of 110, or even less. Well, what happens? If you look at the the new rule, all it says is that you have to post that score and have it in place at the time that you would receive a contract award. But we can also look elsewhere. And we can see that duty contracting officers are supposed to look at this SPRS system in order to assess supplier risk. And when they look at that system, they may see the companies they intend to make an award to have a low score. Well are they just going to ignore it and say, well any score is good enough? Or are they going to use it for some other purpose? My analysis is that DoD, once it has the information, will likely act upon it. They have the ability to consider a low score, and to decide that a company is not responsible for award. They can create special responsibility criteria and even tell companies in advance what the minimum score is that they would require. And there are ways in which they can tell companies that in their competitive evaluation, they’ll be looking to the scores, and perhaps even comparing the scores of offered wars. The key point is this, checking the box and submitting the score as required, for sure. But no company should assume that any score is good enough. And every company should be motivated to improve their score.
Tom Temin: Yeah, I think you make a key point in mentioning check the box. And that is it’s everyone’s desire, certainly DoDs desire that it not become another check box exercise, like so many other scoring systems in the government, but really an actionable condition for contracts.
Bob Metzger: That’s exactly right. Too often, there will be important objectives that are served by regulation and contract clause. But the way in which they filter accompanies is that you essentially say, yes I did it, or no I didn’t. And then beyond that, in many cases, all you have to do is to assert either impliedly or directly that you’ve done it. Well security doesn’t really work that way. We live in dynamic times, the threat changes, vulnerabilities emerge, new tactics and techniques and procedures evolve. And so it’s important that companies not only meet the minimum prerequisites, such as the submission of this SPRS score, but it’s important that they also improve their security and close any gaps and that they maintain their security over the period of time of that initial assessment.
Tom Temin: And that gets to the next issue, which is the False Claims Act. Because if you certify you’ve got 110, say, controls in place, but one of them turns out to be turned off, or you overlooked something, then potentially contractors are in the False Claims Act violation situation. That could be pretty dangerous.
Bob Metzger: Very. I’ve said many times that as difficult and costly as it could be to satisfy all 110 requirements of this 171 cyber control set — it’s a lot less expensive than finding yourself subject to a False Claims Act investigation or filed litigation, those are incredibly disruptive and expensive even before you get to damages. Well, there’s a couple of places where FCA exposure could emerge. We know, beginning December 1, that companies will have to submit that self assessment. They also have to submit a date by which they’re going to close out any of the gaps that they found in their self assessment. Well, some companies are going to be tempted to report a higher score than they actually earned. Some companies may be tempted to report a score without actually doing the assessment, or to do an assessment without having a system security plan, that would be the basis of the assessment. At the same time, companies may also promise that they’re going to close those gaps and get to 100% compliance faster than they intend to. Well, in that situation, if you act with an intent to mislead the government, or with reckless disregard of the truth of what you submit, well, you could find yourself exposed to the False Claims Act. And the government’s theory would be that once you post these scores, you are representing to the government a certain level of cyber compliance, and you are representing also to the government that you’re going to make it better and fix it over the time that you promise. Well false representations are not true, what that implies is that the government awarded you a contract, deemed you eligible to receive a contract on false premises. And if that’s the case, the government, in theory, could say that it would never have given you the contract at all. And it could demand that it be paid as damages, not just some significant forfeiture penalties, potentially even all the money that you were paid on the contract that the government didn’t think you should have had in the first place.
Tom Temin: So potentially, then a whistleblower at a company, for example, could notify the authorities that, hey there’s only 104 of the 110 controls that this company said are in place. And even if there’s not a cybersecurity related incident at the company, that could be grounds for False Claims Act regardless.
Bob Metzger: Yes. So there are examples of situations where there’s been debates and disagreements within companies. And where a company has gone ahead and taken a contract and pledged a certain level of cyber performance where employees disagree. And one of those led to a well publicized the False Claims Act case brought against Aerojet out out in California, case is still pending. Well, in this situation, there’s going to be stress on companies. Clearly there is a requirement to document your security, make the self assessment, report it and promise a date to fix it, they’re going to be internal disagreements. And if if someone disagrees, and they cannot be persuaded that the company is taking a responsible, ethical and truthful approach, it cannot be dismissed that such a person could become a qui tam whistleblower. Now, the fact that a person makes a False Claims Act allegation certainly doesn’t make it so. And there are examples of where whistleblowers have have brought unjustified claims and are seeking to exploit the potential opportunity to make a bounty and getting a share of a false claim tax settlement. But I expect that we will see more activity where companies feel pressure not only to satisfy the government, but to satisfy the insistence of some of their own internal employees.
Tom Temin: And just a thought on the change of administration presuming that President Elect Biden does, in fact, assume office on January 20th. Does this seem like a policy and program that is likely to sustain itself across these two administrations?
Bob Metzger: Well, that is a huge question. So I’d like to distinguish between the reasons for this CMMC and cyber initiative on the one hand, and the methods that are taken in response. I like to think of the reasons as reflecting risk and risk is a function of threat and vulnerability and the consequences of a cyber attack, or breach if successful. I don’t think any of those factors, threat vulnerability or consequences change for the better, whether it be the day after the election or the day after the inauguration. So the security environment in which we operate remains the same and it’s not a safe one. It’s a dangerous environment where adversaries are highly skillful. They are determined and they have been unfortunately, all too successful. All that says is that we have continuing reasons in a new administration to protect the confidentiality of sensitive information held by the defense industrial base and other federal contractors. But where things could change is on the mechanics. The Trump administration has taken quite an assertive approach. The combination of this DoD assessment method and the new CMMC initiative has consequences to literally hundreds of thousands of companies who are federal contractors. It’s demanding. And it involves a high degree of government oversight initially, and then industry oversight of itself. There are people that question whether it’s asking too much of too many. There are people who will wonder whether the cost expended will be justified by the results in security. And because those questions may have some legitimacy to the new administration, it would not surprise me if those who acquire authority within the Department of Defense were to pause some aspects of these new initiatives and to rethink how some of it should best be done. Do I think that CMMC will be abandoned? No. Do I think that DoD will give companies free hand to promise security without DoD checking to see whether it’s true? No. But we have to find a way to balance the objective, the necessity of better security, with confidence that it can actually be achieved at an affordable cost by a substantial fraction of our industrial base.
Tom Temin: Attorney Bob Metzger is a partner at Rogers-Joseph-O’Donnell. Thanks so much for joining me.
Bob Metzger: Thank you.