DOJ's Message to Government Contractors
Government contractors have been put on notice.
In a less-than-heartwarming update from the Department of Justice, the Deputy Attorney General unveiled the Civil Cyber-Fraud Initiative.
In short, contractors who manage IT systems for government entities have liability under the False Claims Act (FCA). The FCA was originally enacted in 1863 in response to government contractor fraud during the Civil War. So it's kind of the "OG" in this space.
And the penalties can be HUGE. Originally, the law called for double damages plus $2k for each false claim. Then, the FCA grew some fangs. The penalties now stand at treble damages PLUS a penalty linked to inflation. For those not living under a rock, inflation is a little insane right now, too!
Ok, so these penalties definitely get our attention, so let's consider what the Cyber-Fraud Initiative is focused on prosecuting:
In the DOJ's own words - The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by:
- Knowingly providing deficient cybersecurity products or services
- Knowingly misrepresenting their cybersecurity practices or protocols
- Knowingly violating obligations to monitor and report cybersecurity incidents and breaches
(emphasis ours)
For those paying attention to the alliteration here... the word "knowingly" seems to be quite critical. Even for upstanding MSPs, a strong prosecutor can certainly make this a tough standard to defend against.
To spice things up a bit more, "the FCA allows private citizens to file suits on behalf of the government..." And those whistleblowers even stand to get a piece of the government's winnings.
In short, the DOJ means business here. This is both scary for government-focused MSPs and encouraging for the government to tighten up their security.
Here's the upshot: this helps remove the weak (i.e. risky) IT service providers with their often unthinkably low rates. You know, the ones that seem to lack legitimate cyber know-how? Yeah... you know those!
So what's next?
We can take some cues from CMMC for guidance on adequately protecting government clients.
But to be sure, we'll wait for the real attorneys (i.e. NOT us) to give us all better guidance on what this added liability means for the industry. How do MSP Partners effectively document practices, processes and products inside these organizations?
One thing we know for certain - Security Awareness Training is continually called out in compliance requirements.
And we make it easy!
If you're an MSP and want to learn more, go check out how we Partner with you here. If you like what you see, book a time to chat!
Photo by Ian Hutchinson on Unsplash
And just to make it abundantly clear: none of this is legal advice! We're definitely not attorneys (sorry Mom!), so go chat with yours, if needed.