A recent federal court decision signals the beginning of what could potentially be a wave of lawsuits against federal contractors for compliance with cybersecurity requirements under DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting). The case involves a false claims action brought by a federal contractor employee alleging the contractor fraudulently claimed it was in compliance with this DFARS requirement. The federal contractor argued that the U.S. Department of Defense had never expected full compliance, which is evidence by the amended guidance and regulations that have come out since early 2018. The court rejected the federal contractor’s argument and stated that compliance still impacted the federal government’s decision to contract with the company. To access AGC’s webinar on these cybersecurity requirements, click here.
This decision is the first ruling invoking DFARS cybersecurity compliance, but it is expected that this case may open the floodgates for similar actions brought by whistleblowers and perhaps other project stakeholders. AGC has repeatedly communicated the difficulty many construction contractors have had implementing these complex cybersecurity requirements. DOD has consistently stated that the agency does not plan on auditing contractors’ electronic devices, but will rely on contractors attesting to their compliance with the requirements. As AGC first reported in 2017, Department of Defense contractors must follow security control requirements to ensure sensitive federal information remains confidential when stored in any non-federal electronic system under this provision.
For more information, contact Jordan Howard at jordan.howard@agc.org or (703) 837-5368.