The False Claims Act and NIST 800-171: What You Need to Know

Last fall, the Department of Justice (DOJ) announced its new Civil Cyber Fraud Initiative to enforce cybersecurity standards and reporting requirements.

Let’s dive into how the Civil Cyber Fraud Initiative, False Claims Act (FCA) and NIST 800-171 relate to one another and how your organization should approach ensuring your compliance with your government contracts.

What is the False Claims Act?

According to the DOJ, the False Claims Act is “the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and partnering in the recovery and protection of whistleblowers who bring these violations and failures from retaliation."

DOJ’s Civil Cyber-Fraud Initiative

Riding on the coattails of the False Claims Act, the Civil Cyber-Fraud Initiative is an important enforcement tool for civil fraud, as well as procurement and cybersecurity requirements defined in government contracts.

The Civil Cyber-Fraud Initiative leverages the False Claims Act in three ways to hold companies accountable who:

• Knowingly or unknowingly misrepresent cybersecurity practices of their organization
• Fail to follow required cybersecurity standards
• Knowingly fail to report cybersecurity incidents in a timely manner

*Key Takeaway - Abide by contractual standards or face significant penalties!

What is NIST 800-171?

NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) governs the use of contractors with access to Controlled Unclassified Information (CUI). It’s designed to protect the integrity of CUI and ensure that only vendors meeting a specific set of requirements for cybersecurity practices ever have access to it.

The DoD announced that government contractors would be required to submit a self-scored NIST 800-171 assessment as a result of the DFARS Interim Final Rule rollout in late 2020.

Adhering to required cybersecurity standards can make or break your business

Companies that fail to abide by the cybersecurity standards required by their contracts may face hefty penalties. Penalty fines, combined with the potential loss of government contracts, could create substantial risks to businesses’ revenue streams.

In the first settlement by the DOJ of a Civil Cyber-Fraud case under its Civil Cyber-Fraud initiative, a provider of global medical services will pay $930,000 to settle False Claims violations related to falsely representing compliance with contract requirements.

SSE Can Help You Prepare Your Business

With the complexities around NIST 800-171, the DFARS Interim Final Rule and Cybersecurity Maturity Model Certification (CMMC), SSE can serve as your expert in validating your NIST 800-171 Assessment and/or preparing your company with what is necessary to complete a self-assessment.

SSE has been accredited by the CMMC Accreditation Body as a Registered Provider Organization (RPO). Let us demonstrate how we can help.  Schedule your complimentary NIST 800-171 & CMMC Readiness Assessment to get started.