CMMC and the False Claims Act

In a recent webinar promoting the development of the Cybersecurity Maturity Model Certification (CMMC), Katie Arrington made reference to the False Claims Act and encouraged attendees to look into it. Ms. Arrington is the Chief Information Security Officer, Office of the Undersecretary of Defense for Acquisition of the U.S. Department of Defense (DoD) and is leading the charge for CMMC, so when she suggested investigating it, I listened.

The False Claims Act (FCA) was first enacted in 1863 and has had a handful of amendments, including a crucial modernization in 1986 that made it the most effective antifraud law in the United States, according to the National Whistleblower Center. It was originally written to give recourse to the Union Army during the Civil War when untrustworthy defense contractors took advantage of the conditions, providing spoiled food or malfunctioning weapons, for example. Because it was passed during Lincoln’s presidency, it became known as the “Lincoln Law” in many circles and successfully gave teeth to the Army’s claims against fraud.

From the Department of Justice: The FCA provides that any person who knowingly submitted false claims to the government was liable for double the government’s damages plus a penalty of $2,000 for each false claim. The FCA has been amended several times and now provides that violators are liable for treble damages plus a penalty that is linked to inflation.

Note that there is a requirement to prove that the entity submitted the false claim (or caused the submission of the false claim) with knowledge of the fraud. Accidental duplication of invoices would not qualify. Erroneous charges or typos would not qualify. How about purposeful overbilling or entirely fabricated bills? These practices would absolutely qualify, and have been successfully pursued, resulting in some of the largest settlements in recent history. In fact, the DOJ successfully recouped more than $3 billion USD in settlements and judgments related to the FCA in the last complete fiscal year. Wow.

So yes, it is still actively and effectively deployed today. But why did Katie Arrington bring it up?
In the context of her comments, I believe it was to underscore some half-baked complaints from defense contractors about CMMC compliance being an undue burden.

Arrington reminded attendees that the aim of the CMMC is not to reinvent the wheel. Instead, the process is intended to standardize, confirm, and certify the Defense Industrial Base companies’ existing self-attestation claims of compliance with the various DFARS clauses and NIST regulations. If those self-affirmations have been truthful, the CMMC is really just a "prove it and approve it" exercise  with a C3PAO (CMMC Third Party Assessment Organization). If it is a significant burden to implement procedures and protections, then the contractor has likely falsified self-attestations and was in violation of the FCA in previous contracts. That creates a certain kind of elegant Catch-22 for affected companies - complain about the process, complain about the timeline, complain about many things... but don’t complain about having to implement new security measures if you already attested that you had them in place.

FIPS 140 validated encryption is a key building block in CMMC, as with all Federal compliance programs that rely significantly on NIST expertise and recommendations. SafeLogic’s ability to provide drop-in modules for instant compliance, accelerate the FIPS validation, and provide expert support for the crypto implementation make us an extremely valuable partner to have in your Rolodex as you approach CMMC. Even better, we can complete all of those operations in parallel with your CMMC efforts so there is no time wasted.

Contact us anytime with questions and keep an eye out for our upcoming whitepaper on CMMC’s requirements for FIPS 140 validation.