The False Claims Act (FCA) today bears little resemblance to the law President Lincoln signed 154 years ago to stop con artists like those who sold the U.S. Army gun powder barrels filled with saw dust or boots with cardboard soles.

Today, companies and individuals in all sectors of the economy who do business with the government, or participate even remotely in government programs, face a growing common threat: the risk that a whistleblower will label them a modern day huckster for failing to comply with some regulation, triggering a costly and lengthy government investigation, and potentially a lawsuit for treble damages and substantial financial penalties.

FCA risk in the Aerospace, Defense, and Government Services (ADG) industry is particularly significant for several reasons. ADG companies frequently enter into contracts with U.S. government customers, and those contracts often require upfront disclosures of information as well as affirmative certifications or representations of compliance with federal regulations and quality requirements. Noncompliance with these disclosure and certification/representation requirements can trigger staggering liability under the FCA, staggering because under the FCA the government recovers treble damages and civil penalties between $11,463 and $22,927 per false claim. DOJ reports that $2.8 billion was recovered in FCA actions during fiscal year 2018, $2.1 billion of which was linked to suits filed by a whistleblower who stood to recover up to 30% of the government's recovery. FCA rewards in the ADG industry are often headline grabbing when they relate to the high cost systems and services that may also have national security implications

This publication of ADG Insights addresses the five compliance topics that currently pose the highest risk of FCA liability for ADG companies. An understanding of this risk will help inform ADG companies on how to prioritize the elements of their compliance programs. The five risks addressed herein are:

  1. Cybersecurity
  2. Defective Pricing
  3. Supply Chain Risk Management
  4. Overbilling
  5. Defective Quality of Products or Services

ADG companies will want to ensure that coverage of these areas in their compliance programs is especially strong.

Top risk areas for ADG companies

Cybersecurity

ADG companies are frequent targets of cyber attacks given their propensity to store sensitive technical data as well as other government information that has national security implications or that otherwise is of high economic value. In recognition of this fact, the federal government has imposed a framework of cybersecurity requirements that typically requires ADG companies to make substantial investments in infrastructure that meets certain data safeguarding standards. Given these requirements and the attention cybersecurity currently is receiving, noncompliance has become a prime target for FCA whistleblowers.

As discussed in our ADG Insights of April 2019, Cybersecurity and Supply-Chain Developments and Trends for Companies that Conduct Business with the U.S. Government, the government is applying increased scrutiny on contractor compliance with cybersecurity requirements, including how those requirements are flowed down to subcontractors. ADG companies that conduct business with civilian government agencies are subject to the requirements of the Basic Safeguarding of Covered Contractor Information Systems rule. The rule is implemented in Federal Acquisition Regulation (FAR) clause FAR 52.204-21, which identifies 15 security controls, pulled verbatim from National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 171, for safeguarding information systems owned or operated by contractors that process, store, or transmit specified federal contract information (FCI). FCI is broadly defined as information "not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government," but excludes information provided by the government to the public or simple transactional information. The rule is intended to impose baseline cyber protections that the government believes every business should be implementing as a "best practice."

ADG companies that conduct business with the Department of Defense (DoD) are subject to more stringent cybersecurity and incident reporting requirements. DoD's Network Penetration Reporting and Contracting for Cloud Services rule applies to all DoD contractors and subcontractors, including small business and commercial item contractors, except contracts for the acquisition of commercialoff-the-shelf items. Covered contractors are required to safeguard Covered Defense Information (CDI) and "rapidly report" cyber incidents on contractor systems with CDI. CDI is defined broadly to include unclassified controlled technical information or other information as described in the Controlled Unclassified Information Registry. Contractors are required to provide "adequate security" on all covered contractor information systems, which means at a minimum, implementing the security requirements in NIST SP 800-171 by no later than 31 December 2017. Rapidly reporting is defined as reporting within 72 hours of the contractor's discovery of a cyber incident using the reporting fields at https://dibnet.dod.mil.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.