Nation's First Case of DFARS Non-Compliance Against DoD Contractor Underway
May 15, 2019 Technology News(PRLEAP.COM) Well, it finally happened. A Department of Defense contractor is being prosecuted under the False Claims Act for non-compliance with DFARS 252.204-7012. Aerojet Rocketdyne Inc. is currently facing legal action in the US District Court Eastern District of California under allegations that it knowingly misrepresented the extent to which it was compliant with DFARS and corresponding required protection on Controlled Unclassified Information (CUI).
Since its inception, government contractors subject to DFARS 7012 have been cautioned to take the clause seriously by taking immediate action and being transparent with the DoD on areas of noncompliance. DFARS compliance, until recently, has been a self-assessment exercise where the DoD contractor is responsible for implementing the appropriate security controls, System Security Plans, and Plans of Action and Milestones, and reporting such information back to DoD where required.
Invoicing on a contract subject to DFARS carries with it the representation that the contractor is fully compliant. Guidance has been published and should be carefully reviewed to best avoid possible prosecution under the False Claims Act. Given that this is the first case of its kind, it is expected that the court system will move cautiously through the litigation process. The allegations in question concern activities which took place in 2014 and 2015. Therefore, it is imperative for contractors currently in violation to take a proactive approach with their DFARS compliance efforts in order to avoid a future lawsuit.
If an organization is subject to DFARS 7012 and is not fully compliant with the 110 security requirements in NIST Special Publication 800-171, they can solicit the help of an outside firm who can provide an assessment of their current landscape, build a road map to compliance, and provide additional guidance, as needed, along the way.