I. Introduction
President Joseph R. Biden emphasized the critical role of cybersecurity in the administration’s 2023 National Cybersecurity Strategy Report, stating that “[c]ybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.” Collectively, individuals are progressively dependent on digital systems as technology now touches the “most sensitive aspects of our lives.” The nation’s critical infrastructure sectors are also digitizing its systems, presenting unique national security, economic, public health, and safety risks as cyberattacks target “an extensive network of independent IT systems and services that power our homes, run our economy, and allow for communication and travel.” As the public’s reliance on technology grows, the consequences of cyberattacks are more debilitating.
At the same time, the federal government is trying to protect the nation’s digital infrastructure from increasingly sophisticated cyber criminals, but these efforts depend—in large part—on private-sector partnerships to identify the full scope of the cyber-threat landscape. Despite the government’s need for more cyber-threat data, the market disincentivizes companies from investing in cybersecurity or disclosing cyber incidents, either due to a lack of resources or concerns over compliance obligations, which further impedes threat detection and analysis efforts. Too often, the competing priorities of the private and public sectors encumber the coordination necessary to meaningfully improve the nation’s defense of cyberspace.
To date, the federal government attempted to address this tension between the two sectors through a myriad of statutory and regulatory efforts. Notably, the government continues to leverage its purchasing power to influence the cybersecurity practices of government contractors with the hope that those standards will spread throughout the private sector. But as more agencies pass cyber regulations in an attempt to bridge the public-private divide, contractors are left to navigate a confusing regulatory patchwork with varying and conflicting incident reporting requirements across the federal government.
In 2023, the Federal Acquisition Regulation Council proposed an amendment to the Federal Acquisition Regulation (FAR) to broaden government contractors’ cybersecurity responsibilities through cyber threat and incident reporting and information sharing between government contractors and federal agencies. The amendment also expands the Department of Justice’s (DoJ) ability to bring False Claims Act (FCA) actions against companies that fail to meet the new cybersecurity requirements, exposing government contractors to greater risk of lengthy and expensive litigation, as well as possible fines and treble damages. Although the proposed FAR amendment would modernize contractors’ cybersecurity postures, greater FCA enforcement of cyber-incident reporting may only disincentivize private companies from contracting with the government and, by extension, minimize the reach of cyber regulations. Instead of implementing a penalty-based enforcement approach, harmonizing regulations and amending the DoJ’s current FCA cooperation credit program to reduce mandatory damages and penalties for good-faith contractors will advance the government’s goals of improving public-private partnerships and strengthening the nation’s cybersecurity.
This Note analyzes whether additional cyber regulations with severe penalties furthers the government’s goal of improving cyber reporting and information sharing between the two sectors and ultimately achieves greater private-public cooperation. Part II of the Note provides background on the nation’s current cyber-defense posture, the current cyber-reporting requirements for government contractors, and the market forces that have led to the divide between the public and private sectors. Part III examines the proposed cyber-incident reporting amendment to the FAR and the potential enforcement impact that it presents to federal government contractors. Finally, Part IV proposes amendments to the DoJ’s FCA Credit Program to soften the burdens of an increasingly punitive cyber-incident reporting compliance program.
II. An Overview of the U.S. Cyber-Incident Reporting and Information-Sharing Framework
Establishing a safe and resilient cyberspace depends on raising minimum security standards across the nation’s entire cyber ecosystem. Bolstering cyber defenses will not only secure and protect sensitive information, but make it costlier for cyber criminals to attack digital systems and mitigate the spillover effects from an attack on one industry to another. Together, the federal government and the private sector can create a more secure cyberspace by improving cyber-incident reporting in the private sector. However, confusing and conflicting cybersecurity reporting requirements hampers the government’s goal of achieving greater public-private cooperation.
A. The Evolving Cyber Threat Landscape
Since the Internet’s expansion in the 1990s, a vulnerable foundation coupled with the rapid growth of network usage led to “a parallel increase in attacks on computing systems.” The early iterations of the Internet were developed based on an open architecture principle that focused on communication and interoperability rather than on defense or security. When the Internet was eventually introduced to businesses and households for everyday use, new technology and functionality were layered on top of an “already intricate and brittle system[] at the expense of security and resilience.” The number of cyber threats increased as bad actors took advantage of these vulnerabilities and cybercrime tools and weapons became more readily accessible. Now, individuals, criminal organizations, and nation-states that “previously lacked the ability to harm U.S. interests in cyberspace” can leverage existing and modified malware to carry out costly cyberattacks on the federal government and private companies alike.
Not only have the number and frequency of attacks increased in recent years, but “adversaries have become more sophisticated, relentless, and damaging in their attacks.” As soon as the public develops new technology, malicious cyber actors actively seek ways to exploit it. Specifically, adversaries have taken advantage of the growth of Internet-connected consumer devices to scale relatively low-cost attacks to harm hundreds or thousands of individuals. Cybercriminals only need to access one device on a network to infect it with malware that can conceal itself, steal data, self-replicate, and spread to other devices on the same network all without requiring human interaction. More frequently, an attack on one organization spills over to others, harming not just one company, but also its clients and other business affiliates, sometimes even crossing industry and sector lines. In this way, cybercriminals are able to effectively attack government contractors’ networks and computer systems in an effort to access government systems or collect sensitive defense information related to government contracts. As discussed next, the SolarWinds attack demonstrates the need to incentivize government contractors to invest in cybersecurity protections and share information with the government.
Beginning in January 2019, a hacking group affiliated with Russia’s Foreign Intelligence Service exploited a network vulnerability to breach SolarWinds’ network and management software, Orion. SolarWinds is a Texas-based company providing network-management software services to dozens of government agencies and thousands of private companies, including many in the technology, finance, and energy sectors. Russia intentionally targeted SolarWinds’ Orion software, which “was widely used in the federal government to monitor network activity and manage network devices on federal systems.” To gain access to Orion, the hackers first infiltrated SolarWinds’ software build and testing environment by injecting hidden malware into a software update that was still undergoing development and testing. From March to June 2020, SolarWinds released the infected software update to its customers, unaware it was spreading a Trojan horse virus that could grant backdoor access to the Russian hackers.
To avoid detection, the virus was programmed to remain dormant on installed devices for extended periods of time. The virus remained dormant even during a brief testing period, after which network administrators quickly deployed the patches to users’ devices. Once activated, the Trojan horse inspected and gathered information from infiltrated devices. Russia used this backdoor access to install additional malware on victims’ networks to steal data and access credentials, and to elevate their own access privileges. The Russian hackers further evaded detection by returning to the development environment and deleting the original malware file to cover its tracks. The breach was not reported until FireEye, a SolarWinds customer and prominent U.S. cybersecurity firm, notified SolarWinds that there was evidence of a breach in November 2020, roughly eleven months later.
Russia’s efforts and success in evading detection showcase the necessity of bolstering the nation’s cybersecurity defenses across both public and private networks. The potential for spillover not only exacerbates the significant costs of cybercrime on the United States’ economy, but the targeted nature of the attack was especially concerning. Armed with the knowledge that the Orion software was widely used by federal agencies, Russian hackers took advantage of a preexisting trust relationship to attack high-intelligence SolarWinds customers and accomplish its espionage goals. As other attackers observe the success of supply-chain attacks, the number of significant probes against government contractors will likely increase in the future. Accordingly, strengthening government contractors’ cyber protections is essential as malicious actors seek to exploit the procurement relationship to gain access to government systems and sensitive information.
B. The Current Cybersecurity Regulatory Environment
In response to the proliferation of cybercrime, the federal government contemplated legislative and regulatory approaches to modernize the United States’ digital infrastructure. However, congressional efforts to address these new cyber threats through legislation largely stalled. Without legislation standardizing cybersecurity requirements for all government contractors, the Executive Branch turned to regulatory and procurement avenues to encourage private-sector participation and information-sharing efforts to strengthen the nation’s overall cybersecurity posture. But an ad hoc approach to implementing cybersecurity regulation created an “opaque” regulatory environment with varying reporting requirements across the federal government.
1. The Creation of the Cybersecurity Patchwork
In 2002, Congress passed the Federal Information Security Management Act (FISMA) that left federal agencies to individually administer their own information security programs, with federal contractor help. FISMA granted discretion to each agency to determine the appropriate cyber requirements necessary under their information-security programs, creating acquisition rules that not only varied by agency but also by contract—with “uneven implementation.” Without a unified government-wide regulation, agencies filled the void with their own regulatory approaches, and contractors were left to determine what cybersecurity requirements applied to each government contract.
In the 2010s, despite a flurry of legislative initiatives, Congress was unable to pass a federal statute requiring private companies to comply with a uniform set of cybersecurity information-sharing requirements. Businesses largely opposed these legislative efforts, claiming such requirements would be “onerous and costly” and would stifle innovation. Meanwhile, federal agencies continued to develop individual and often duplicative cybersecurity regulations, exacerbating the web of conflicting reporting requirements.
Years later, on November 16, 2018, Congress created a new federal agency called the Cybersecurity and Infrastructure Security Agency (CISA), which is housed under the Department of Homeland Security (DHS) and dedicated to coordinating the nation’s critical infrastructure security and resilience. In March 2022, Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), directing CISA to review cyber-incident data and develop cyber-incident reporting regulations for critical infrastructure organizations. CIRCIA represents the federal government’s first cyber-incident reporting requirement targeting all critical infrastructure sectors, including the defense industrial base, government facilities, healthcare, and information technology. Even after CIRCIA’s implementation, CISA must develop reporting requirements that potentially conflict with other agency regulations because of the existing patchwork. The Cyber Incident Reporting Council, established by CIRCIA to harmonize cyber-incident reporting across the federal government, identified forty-five different reporting regimes currently administered across twenty-two federal agencies. Therefore, a company that contracts with multiple agencies may have to comply with “overlapping information requirements, timelines, and submission methods.”
2. Executive Orders 13636 and 14028
While federal agencies continued to advance their own cybersecurity regimes, the federal government’s focus on private-public information sharing and cyber-incident reporting recently intensified with a series of executive orders and presidential directives. On February 12, 2013, President Barack H. Obama issued Executive Order 13636 (EO 13636) seeking to build a cybersecurity framework and harmonize cyber requirements for federal contractors, emphasizing the importance of timely cyber-threat information sharing between the government and the private sector. Under EO 13636, President Obama tasked the Secretary of Defense, the Administrator of General Services, and the Secretary of the FAR Council to draft recommendations on incorporating cybersecurity standards into federal acquisition planning and contract administration.
Nearly a decade later, on May 17, 2021, President Biden issued Executive Order 14028 (EO 14028), entitled “Improving the Nation’s Cybersecurity,” calling on agencies to modernize the nation’s cybersecurity in response to harmful cybersecurity supply-chain attacks. EO 14028 directs agencies to reevaluate federal contractors’ cybersecurity postures and implement new requirements to protect government systems. Several of these provisions would incorporate cyber compliance as a determinative factor for an offeror’s eligibility to conduct business with the federal government.
Significantly, sections 2(a) and 2(b) of EO 14028 call for an update of standard contract language in the FAR for contracts with information technology (IT) and operational technology (OT) service providers to increase information sharing between the private and public sectors. Specifically, EO 14028 directs federal agencies to review the FAR’s contracting requirements with IT and OT service providers and recommend new cyber-incident reporting requirements to facilitate information sharing. The proposed contract language must ensure IT and OT service providers collect and share cyber-threat data on all systems over which they have control, including any operated on behalf of the government. Through new contract clauses, EO 14028 seeks to ensure greater cooperation between IT and OT service providers and federal cybersecurity investigative bodies in responding to a cyber incident on federal information systems.
Moreover, EO 14028 tasked agencies with identifying Information and Communications Technology (ICT) providers’ cyber-incident reporting requirements, including the nature of cyber incidents that require reporting, the scope of the information that must be shared with federal agencies, timelines for reporting, and the types of contractors covered under the proposal. In an attempt to deconflict the various cyber regulations, EO 14028 calls for standardizing common cybersecurity contractual requirements across federal agencies to streamline and improve compliance. To that end, EO 14028 suggests removing agency-specific requirements that are duplicative of the new FAR updates. Despite this directive, as discussed in Section III, the proposed FAR rule fails to provide sufficient deconflicting language that would alleviate the regulatory patchwork.
3. Cybersecurity Compliance Under the FAR
The federal government seeks to leverage its purchasing power to encourage government contractors to modernize their cybersecurity protections with the hope of reaching other private companies. However, the FAR leaves cybersecurity implementation up to each federal agency, requiring contractor compliance with agency-specific cyber requirements beyond the minimum FISMA, Office of Management and Budget, and National Institute of Standards and Technology policies and guidance. Contractors must then interpret the regulatory patchwork to determine what cybersecurity regulations apply to a particular contract, which may result in conflicting requirements with other contracts or agencies.
Even after EO 13636’s mandate to harmonize cyber requirements in federal acquisitions, the FAR offers little government-wide guidance. The most analogous is the FAR’s mandatory cybersecurity-safeguards clause, FAR 52.204-21, which requires contractors, except for commercial-off-the-shelf providers, to take steps to protect covered contractor information systems that “process[], store[], or transmit[] federal contract information.” The clause outlines fifteen baseline protections that contractors must implement to satisfy FAR compliance, but also directs contractors to adhere to the specific cybersecurity requirements prescribed by individual agencies. Consequently, the responsibility falls to contractors to track and deconflict new requirements in cyber-safeguard regulations as well as ensure compliance for each contract.
The lack of consistency across agency acquisition supplements to the FAR further contributes to the confusion and complicates contractors’ reporting obligations. For instance, the Department of Defense’s (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) distinguishes cyber safeguards for unclassified systems and requires a seventy-two-hour cyber-incident reporting requirement. Meanwhile, DHS requires contractors to report known and suspected cyber incidents within eight hours of discovery or within one hour if the incident involves personal identifying information. Agencies that deal with national or economic security may require reporting timelines that vary from “immediately,” “promptly,” or even “without delay.” This list is by no means comprehensive, but it is a small sample to demonstrate the lack of consistency between federal agencies.
Despite this lack of clarity and uniformity, contractors face a high degree of risk for any inaccurate and false cybersecurity certifications submitted to the federal government. Failure to comply may lead to serious procurement consequences, including negative performance evaluations, nonresponsibility determinations, suspension or debarment, terminations for default, or FCA liability.
4. False Claims Act Enforcement of Cybersecurity Reporting
In October 2021, the DoJ announced the launch of the Civil Cyber-Fraud Initiative to harness FCA enforcement liability to target government contractors and grant recipients that fail to comply with cybersecurity standards. The initiative seeks to “hold accountable [contractors] . . . [for] knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” The DoJ announced its intent to use the FCA to achieve its cybersecurity policy goals by ensuring contractors protect government data and information systems, guarantee market competition, and recover taxpayer losses from noncompliant companies.
The FCA serves as the government’s primary tool for combating fraud in government procurement or any activity involving federal funds. The statute imposes heavy monetary liability on any person or entity that knowingly submits, or causes to submit, false claims to the government. Congress implemented the FCA to allow the government to recoup the costs of fraud, deter fraudulent activity, and incentivize qui tam relators to bring a claim on behalf of the government. In the procurement context, the FCA covers a wide range of contractor misconduct from mischarging the government for goods or services never delivered to submitting “false certifications of statutory or regulatory compliance . . . which are alleged to be material to the government’s decision to pay the claim.” Importantly, the FCA prohibits contractors from submitting “false or fraudulent claims,” which the Supreme Court explains covers fraudulent misrepresentations and misleading omissions. In Universal Health Services, Inc. v. United States ex. rel. Escobar, the Supreme Court resolved the scope of the implied certification theory, which can establish FCA liability when a billing party “implicitly communicates that it conformed to the relevant program requirements, such that it was entitled to payment” each time it submitted a claim. The Court held that the implied certification theory provides a basis for FCA liability when two conditions are met: “first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations half-truths.” Thus, the FCA applies to contractors that “make[] representations in submitting a claim but omit[] its violations of statutory, regulatory, or contractual requirements, . . . if [those omissions] render the defendant’s representations misleading with respect to the goods or services provided.”
Adverse civil judgments present serious business risks for contractors as FCA liability can include statutory damages and penalties, the cost of the civil action, and possible suspension and debarment. Significantly, the statute imposes treble damages, allowing the government to recover three times the damage the government sustained because of the false certification, plus mandatory penalties of $13,946–$27,894 per claim. Notably, this recovery scheme can create disproportionate effects as a series of false claims can lead to huge penalties, even when the harm inflicted to the government is relatively small. To illustrate the potential devastating effects of FCA penalties, treatise author John T. Boese highlights one example: “the potential imposition of 1,000 separate civil penalties totaling over $21 million in response to a series of 1,000 false claims for prescriptions of $10 each . . . where the loss to the government totaled $10,000.” Additionally, violations of the FCA can also lead to potential suspension and debarment actions, preventing a company from doing business with the federal government. Scholars have referred to suspension and debarment as a “death sentence” for government contractors as the economic effect can be devasting. Unsurprisingly, the threat of such liability provides a substantial litigation advantage to the government that is not easily dismissed.
A recent uptick in FCA activity demonstrates the DoJ’s focus on cybersecurity regulatory compliance. In one of its first settlements, the Civil Cyber-Fraud Initiative settled with Aerojet for $9 million after Aerojet entered into multiple government contracts that had cybersecurity requirements but Aerojet failed to meet those requirements and hid its noncompliance from the government. On September 1, 2023, an ongoing qui tam suit was unsealed in which the former chief information officer for Pennsylvania State University alleged the school’s cybersecurity certifications submitted to secure DOD funding were false. A few days later, Verizon announced a $4 million FCA settlement after it self-disclosed noncompliance with its solution, Managed Trust Internet Protocol Service, which did not comply with required cyber standards. In its settlement agreement, Verizon stated that it failed to meet three required standards under a federal cyber initiative, the Trusted Internet Connections, on GSA contracts from 2017 to 2021. As more cybersecurity requirements are enacted, government contractors should expect to see more FCA cyber actions brought by the government.
C. Misaligned Priorities Between the Public and Private Sectors
Despite the government’s regulatory efforts to encourage the private sector to participate in the cybersecurity market, differences in public and private priorities frustrate meaningful progress in securing the nation’s digital infrastructure. Namely, tension exists between the commercial market’s profit-maximizing structure and the government’s need to protect national security. This tension hampers the government’s ability to identify cybercrime fully.
1. The Necessity of Information Sharing
The ability to prevent and respond to cybercrime requires knowledge of the threat actors, “including their motivations, techniques,” and means of targeting organizations. As such, federal agencies collect and interpret voluntary disclosure information from the private sector and private individuals to assess the severity and frequency of cyberattacks. However, the government’s access to cyber-threat data is limited because private entities own a majority of the Internet’s infrastructure and these entities are not always subject to mandatory reporting requirements. Government regulatory officials noted that private cybersecurity firms often receive better cyber-threat data from their clients because they are brought in first to help investigate and remediate after an intrusion is discovered.
The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) is one reporting mechanism that collects voluntary cybercrime complaints from the public. In 2022 and 2023, the IC3 received between 800,944 and 880,418 cybercrime complaints, respectively, with estimated potential losses of between $10.3 billion and $12.5 billion. Although the number of reported incidents reached a record high this past year, the FBI considers these to be conservative numbers given the difficulty of determining the true number of victims, as many incidents go unreported. Even with conservative numbers, the trend indicates that cybercrime only continues to threaten the economy and individuals. For instance, IBM reported the global average cost of a data breach reached $4.88 million after analyzing 604 private organizations impacted by cyber incidents in 2023. Incomplete incident-reporting data and the associated costs of cybercrime make it difficult for both the government and private stakeholders to manage the risk.
With access to immediate and accurate cyber-incident data, investigative agencies stand a better chance of intercepting cybercrime, recovering stolen data, and retrieving ransom payments. Law enforcement agencies can also use this data to maximize investigative opportunities, assist with attribution, and better understand a criminal actor’s tradecraft. Given the wide breadth of cyberattacks, information from one data breach can lead to clues in other investigations and, ultimately, more government takedowns of organized cybercrime gangs. Thus, increased information-sharing partnerships in particularly complex cases can help reduce the number of attacks plaguing the private sector.
The government’s information sharing efforts certainly benefit the overall defense of cyberspace, but the private sector also benefits from this exchange. For example, the DoJ currently analyzes data obtained through its cyber investigations and shares takeaways with private companies so that they can conduct risk assessments and take affirmative steps to protect their own networks. Companies can strategically invest in more cyber protections if the reported data accurately captures the scope of the threat. Greater participation and investment in cybersecurity protections reduces the overall likelihood of an intrusion and improves the resiliency of the nation’s digital infrastructure.
Additionally, when responding to and investigating cyber incidents, private companies can take advantage of federal expertise and resources by voluntarily reporting to law enforcement agencies. The FBI in particular can compel disclosure of data from internet service providers, work with foreign counterparts, or even secure reporting extensions in some instances. Notably, a majority of ransomware victims that called law enforcement avoided paying a ransom. Yet IBM reports that more firms paid fines as a result of reporting breaches to regulators or other government agencies in 2024 despite reporting within seventy-two hours. It is unclear whether this trend to fine more firms will continue to encourage cyber reporting participation or whether it will have a chilling effect on information sharing across sectors.
2. Market Disincentives
Despite the benefits of information sharing, the current market economy discourages private sector investment in cybersecurity and voluntary incident reporting. Companies are rewarded for short-term profits and cost cutting, selling insecure products and services that can lead to damaging supply-chain attacks. As discussed in Section I, SolarWinds was no exception—it sought to minimize costs and maximize profits by outsourcing much of its software development to cheaper programmers overseas.
In today’s economy, cybersecurity is a natural area for companies to cut costs because customers generally do not factor a company’s cybersecurity posture into their purchasing calculus. If a company falls victim to a cyber incident, it has little incentive to take remedial steps because consumers have typically already paid for a product or service. Rather than internalizing the harm of poor cybersecurity practices, companies are passing the cost onto customers—either through increased prices or loss of personal information and privacy. In fact, IBM noted that sixty-three percent of companies reported that they intended to increase costs and pass them along to customers following a data breach. As a result, the current market structure creates negative externalities not just for individual consumers but for society as well.
Compliance liability could further disincentivize firms from disclosing security breaches when reporting can lead to enforcement actions brought by federal agencies. However, it is difficult to strike an appropriate balance between liability and achieving the government’s cybersecurity goals: “Liability introduces its own risks. Too little, and it has no effect. But if the responsibilities and expectations for acceptable, non-negligent behavior are too broad, liability can raise costs, serve as a barrier of entry for competition and stifle innovation.”
Without encouragement from consumers—or the government—private companies face little incentive to strengthen their own safety protocols and prioritize cyber-incident reporting. Recognizing the need to leverage federal procurement to drive greater cybersecurity participation, the government is now relying on contract clauses to create a mandatory information-sharing mechanism. On the other hand, given the complicated regulatory scheme, the proposed amendments to the FAR could excessively increase contractors’ liability and likely discourage private-public partnerships.
III. Analyzing the FAR’s Proposed Information-Sharing Clauses and the Potential Impact on Government Contractors
The FAR’s Cyber Threat and Incident Response Reporting and Information Sharing amendment advances much of EO 14028’s directive to modernize government contractors’ cybersecurity postures and further information-sharing goals between the public and private sectors. However, the new requirements impose significant compliance burdens on government contractors that wish to maintain their business with the government. Importantly, the proposed amendment fails to incorporate key suggestions from EO 14028, such as deconflicting requirements across federal agencies. In sum, the proposal’s lack of transparency and uniformity combined with greater FCA liability is unlikely to improve public-private partnerships.
A. FAR Case 2021-017: Cyber-Threat and Incident-Response Reporting and Information Sharing
FAR Case 2021-017, Cyber Threat and Incident Response Reporting and Information Sharing, seeks to amend FAR 39.108, which governs the procurement of ICT. As currently defined in the FAR, ICT encompasses any technology used for “the creation, manipulation, storage, display, receipt, or transmission of electronic data and information.” Pursuant to the amendment, all non-commercial contractors that either sell products or services containing ICT or use ICT during the performance of a government contract will be required to incorporate two new cyber clauses in all future solicitations and contracts. Because information technology is used in virtually every business setting, the government is ensuring that the rule casts a wide net to encourage greater cybersecurity participation.
The language provided below focuses on the cyber incident reporting and information sharing requirements of the new FAR clauses.
Clause 52.239-ZZ, Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology (hereinafter the “Incident Reporting clause”), imposes mandatory reporting obligations when a contractor suspects they have been subject to a cyberattack:
(b) Security incident reporting.
(1) (i) The Contractor shall submit a CISA Incident Reporting Form on all security incidents involving a product or service provided to the Government that includes information and communications technology, or the information system used in developing or providing the product or service, to the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security using the CISA Incident Reporting System. The CISA Incident Reporting System, along with information on types of incidents, can be found here: https:// www.cisa.gov/report.
(ii) Consistent with applicable laws, regulations, and Governmentwide policies, CISA will share the information reported with any contracting agency potentially affected by the incident or by a vulnerability revealed by the incident and other executive agencies responsible for investigating or remediating cyber incidents, such as the Federal Bureau of Investigation (FBI), and other elements of the intelligence community.
(2) The Contractor shall also notify the Contracting Officer, and the contracting officer (or ordering officer) of any agency which placed an affected order under this contract, that an incident reporting portal has been submitted to CISA.
(3) The Contractor shall immediately and thoroughly investigate all indicators that a security incident may have occurred and submit information using the CISA incident reporting portal pursuant to paragraphs (b) and (c) of this clause within 8 hours of discovery that a security incident may have occurred and shall update the submission every 72 hours thereafter until the Contractor, the agency, and/or any investigating agencies have completed all eradication or remediation activities. Security incidents involving specific types of information (e.g., controlled unclassified information, classified information) may require additional reporting that is separate from the requirements of this clause.
Meanwhile, Clause 52.239-AA, Security Incident Reporting Representation (hereinafter the “Representation clause”) requires contractors to submit an annual cybersecurity representation certifying:
(b) Representation.
(1) The Offeror represents that it has submitted in a current, accurate, and complete manner, all security incident reports required by current existing contracts between the Offeror and the Government.
(2) Under existing contracts between the Offeror and the Government where information and communications technology is used or provided in the performance of a subcontract, the Offeror represents that it has required each first-tier subcontractor to–
(i) Notify the Offeror within 8 hours of discovery of a security incident, as required by paragraph (f) of FAR clause 52.239-ZZ; and
(ii) Require the next lower tier subcontractor to include the requirement to notify the prime Contractor and next higher tier subcontractor within 8 hours of discovery of a security incident, and include this reporting requirement and continued flow down requirement in any lower tier subcontracts, in this and other executive agency contracts, as required by paragraph (f) of FAR clause 52.239-ZZ.
The sections below evaluate a few of the obstacles contractors may face when complying with the proposed reporting requirements and how the proposed rules broaden a contractor’s exposure to enforcement actions if the government were to find evidence of noncompliance.
B. Compliance Challenges Under the Incident-Reporting Clause
The Incident Reporting clause officially mandates cyber-incident reporting from government contractors, but the clause’s requirements do not align with federal agencies’ pre-existing reporting timeframes. Not only are the new requirements inconsistent with existing deadlines, but the lack of clear guidance creates greater ambiguity for contractors. Under the Incident Reporting clause, companies will be expected to investigate suspected security incidents, comply with an eight-hour reporting deadline, and continuously update authorities on the status of an incident, all while adhering to any other agency-specific reporting obligations. These reporting burdens will likely complicate contractors’ threat-remediation efforts and further discourage voluntary cooperation with the government.
The Incident Reporting clause requires contractors to report cyber incidents to federal agencies “within 8 hours of discovery that a security incident may have occurred.” This is dramatically shorter than CISA’s current seventy-two-hour reporting requirement for critical infrastructure organizations under CIRCIA. Similarly, DFARS requires defense contractors to report cyber incidents affecting controlled unclassified information within seventy-two hours of discovery. Although the FAR Council acknowledged contractors may have to comply with multiple reporting requirements across the federal government, it provided little support for deviating from these existing timeframes except to reiterate the preference for collecting early cyber reports, even if this means reports are incomplete or inaccurate. Notably, the clause fails to address how a contractor should approach conflicting reporting timelines or technical definitions.
Further departing from existing reporting frameworks, the FAR’s definition for a “security incident” differs from the definitions used by CIRCIA and DFARS. The proposed rule provides that a security incident refers to three “actual or potential” possible occurrences:
(1) Any event or series of events, which pose(s) actual or imminent jeopardy, without lawful authority, to the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures or acceptable use policies;
(2) Any malicious computer software discovered on an information system; or
(3) Transfer of classified or controlled unclassified information onto an information system not accredited (i.e., authorized) for the appropriate security level.
In comparison, CIRCIA emphasizes that a “cyber incident” is any event that leads to “substantial loss,” whereas DFARS requires reporting of “actions . . . that result in a compromise or an actual or potentially adverse effect on an information system.” Each of these rules focuses on different thresholds before reporting is required and can be interpreted to define the relevant thresholds differently. Without a standard definition, companies that contract with multiple government agencies will have to reinterpret which definition applies to each of its contracts for every cyber intrusion.
Meanwhile, the FAR does not define what constitutes “discovery” of a cyber incident to trigger a contractor’s reporting obligations. An explicit definition of this term is necessary to provide contractors with a clear understanding of their reporting responsibilities, especially because it can take months to investigate and identify a security incident. According to CISA guidance, “[t]he most challenging aspect of the incident response process is often accurately detecting and assessing cybersecurity incidents.” CIRCIA’s reporting language reflects this understanding because the reporting obligation triggers when the entity “reasonably believes that [a] covered cyber incident has occurred.” In comparison, the FAR’s ambiguous language does not clarify at what point liability is possibly triggered. This raises a dilemma for government contractors: to quickly report all suspicious cyber activity even if this results in incomplete or inaccurate information that will be shared with other government agencies, or risk the time to thoroughly investigate for more determinative evidence. Importantly, contractors may face liability depending on how the government—or courts—interpret “discovery” to establish knowledge, reckless disregard, or deliberate ignorance in an FCA action. The DoJ’s Civil Cyber Fraud Taskforce has already recognized knowing failure to report cyber breaches as a prime candidate for FCA liability. Therefore, ambiguous key terms in the proposed rule will likely lead to future costly litigation to determine which party’s interpretation is reasonable.
Moreover, complying with divergent reporting timelines may be challenging while also responding to a cyber incident. The time and costs associated with reporting to federal authorities can potentially disrupt business operations and efforts to remove the threat from their systems while mitigating immediate harm. Contrary to public perception, government agencies do not take over a private entity’s cyber-incident response operation, but run their own concurrent investigation to identify the perpetrator. These parallel investigations may conflict with each other as the federal agency requests information or access privileges—which contractors will be required to provide under the Incident Reporting clause—while the company attempts to remediate the threat and meet its legal obligations. Additionally, contractors will have to continuously update their cyber-incident reports every seventy-two hours while responding to a security incident until the contractor, contracting agency, or investigative agencies have completed all remediation activities. This requirement will likely add an additional compliance burden considering the average time to contain a breach is sixty-four days from identification, or fifty-four days with extensive use of artificial intelligence tools. Layering requirements on a contractor in the middle of a cyber-incident response will likely interfere with investigative and remediation efforts. On balance, collecting early data may benefit the government’s threat assessment goals, but imposing liability for ambiguous contract requirements and short reporting deadlines will likely create significant compliance hurdles in the future.
C. Greater Risk of FCA Enforcement Actions and Other Litigation
The proposed FAR clauses not only impose technical burdens but also strengthen the government’s ability to bring enforcement actions against contractors and subcontracts. Specifically, the Representation clause’s annual cyber certification requirement further extends the reach of the FCA to future cyber enforcement actions. By incorporating the Incident Reporting clause, contractors not only have to self-certify compliance with the eight-hour reporting timeframe for a particular contract, but also annually on all applicable, existing government contracts. Considering a company’s numerous and conflicting cyber reporting requirements, the potential to submit false or inaccurate statements could become so broad that failing to report one cyber incident may lead to compliance actions. This clause also clears a path for more enforcement actions under a “but for” theory that the government would not have awarded contracts had it only known of a company’s inaccurate certification of compliance.
Contractors cannot evade FCA liability with the argument that actual cyber compliance is not material to an agency’s decision to do business with them. To solidify the use of the FCA for cybersecurity compliance, the FAR’s proposed rule expressly states that contractor compliance with the cybersecurity clauses are “material to eligibility and payment under [g]overnment contracts.” Materiality is a required element for an FCA false certification violation and by adding this language to the clauses, the government rules out potential future defenses that the cyber regulation is not material to contract performance. While Escobar prevents the FCA from becoming “an all-purpose antifraud statute,” the Court noted that “a provision that is labeled a condition of payment is relevant to but not dispositive of the materiality inquiry.”
Furthermore, the new rule may require contractors to provide CISA access to its systems while responding to an incident and allows CISA to share cyber incident reports with other federal agencies but does not discuss how that information will be used. Contractors will inevitably submit incomplete and inaccurate cyber incident reports to comply with the new reporting requirements but practitioners are concerned how preliminary information shared with CISA may be treated by federal agencies in the future. In fact, the industry raised similar concerns when the Securities and Exchange Commission (SEC) first opened its investigation into SolarWinds. Under the SEC rule, companies must report significant cyberattacks within four business days detailing information about their cybersecurity risk management, strategy, and governance. The SEC claims SolarWinds and its chief information security officer (CISO) defrauded stakeholders by inaccurately certifying the company complied with cybersecurity standards and concealed the company’s cybersecurity vulnerabilities. When the SEC sent requests for information to companies exposed to the SolarWinds breach, the majority of respondents questioned how the SEC would use information about previously unreported cyber incidents.
In light of the SEC’s recent enforcement action against SolarWinds, the private sector’s concern over increased litigation is not unfounded. Twenty-one former government officials submitted an amicus brief in the SEC lawsuit warning that enforcement actions against companies that voluntarily disclosed cyber incidents “could disincentivize public-private information-sharing that is critically important to our nation’s security.” The officials explained that the companies or CISOs may decide against sharing information with the government if preliminary cyber incident information results in a lawsuit. The SEC investigation into SolarWinds provides one example of how agencies can use cyber regulations to investigate companies that failed to disclose breaches or implement appropriate controls to prevent or mitigate past attacks. Exposing firms to severe penalties following voluntary disclosure may only reinforce the private sector’s hesitancy to share cyber incident information.
Although the proposed rule is a positive step toward facilitating information sharing between government contractors and the federal government, the language fails to harmonize conflicting regulatory frameworks or demystify a contractor’s cyber reporting responsibilities. Rather, adding ambiguous and burdensome requirements while wielding FCA liability to achieve cybersecurity compliance disproportionately increases the liability risk to government contractors. Instead, alternative legislative and regulatory solutions to consolidate cybersecurity requirements and limit FCA consequences for good-faith contractors may better balance the competing needs of the two sectors.
IV. Addressing the Partnership Gap: Harmonizing Cyber Requirements and Proposals to Soften FCA Consequences for Good-Faith Contractors
As an initial matter, the government should address the cyber regulation patchwork to ease compliance burdens on government contractors. Consolidating cyber reporting requirements would likely ease the compliance burden on contractors and encourage greater participation in the cybersecurity market. At the same time, amending the DoJ’s FCA cooperation credit program to mirror the Foreign Corrupt Practices Act (FCPA) cooperation program could help offset the risk to government contractors and reduce some of the barriers to contracting with the government.
A. Harmonizing the Federal Government’s Cybersecurity Reporting Requirements
In its current iteration, the proposed FAR rule misses out on an opportunity to harmonize cyber-incident reporting by declining to adopt an existing timeframe or provide guidance on deconflicting the various agency reporting timelines. Uniform reporting requirements can help alleviate the compliance burden on government contractors by standardizing “definitions of reportable cyber incidents; the timelines and triggers for when reports must be made; the content of reports; and how the reports are submitted to relevant agencies.”
Rather than rely on individual agencies to establish their own reporting frameworks, CISA may be better positioned to consolidate requirements across the federal government. Congress created CISA so that it could serve as a coordinating agent working with private sectors, non-profit organizations, and partners at all levels of government. CISA is to be responsible for handling all incoming cyber reports, and thus it may be better positioned to consolidate and set cyber-incident reporting requirements. Although CISA is tasked with developing cybersecurity requirements for critical infrastructure organizations and not government contractors, many industry sectors are designated as critical infrastructure.
In consultation with other federal agencies, CISA can determine what those standards should be and utilize its existing framework to set regulations for the rest of the federal government. Such a legislative solution could standardize cybersecurity reporting and information-sharing requirements for government contractors while allowing CISA to respond to evolving cyber threats more quickly than if Congress were to prescribe the requirements themselves. Legislation granting CISA the ability to standardize cyber regulations across the federal government may represent the most streamlined solution in rectifying the cyber-regulation patchwork since CISA already has an information-sharing framework in place. Leveraging CISA’s existing framework may help untangle the regulatory patchwork by reducing complexity and duplicative overlap while improving collaboration between the federal government and the private sector.
Alternatively, anonymizing the cyber-incident reports for entities that have been hacked may encourage contractors to share information without fear of future litigation. For example, CISA could “deidentif[y]” information after receipt from government contractors and before it passing it along to other government agencies. Insulating contractors from liability for submitting anonymous reports may further break down barriers to information sharing and ease tension. Thus, such safeguards that protect a contractor’s sensitive cyber-incident information and shields them from legal liability may further encourage private companies to voluntarily report cyber incidents and partner with the government.
B. Updating the Justice Manual: A Proposal for Cyber Declinations
To balance the needs of both the public and private sectors, amending current cooperation mechanisms to soften FCA liability could encourage information sharing and further promote fairness between government contractors and the federal government. The DoJ implemented cooperation programs for both the FCPA and FCA to more easily uncover illicit activity. Currently, the DoJ offers formal guidance in its Justice Manual on potential credit awards for FCA defendants that satisfy certain disclosure, cooperation, and remedial activities. The guidance is intended to incentivize companies and individuals to share information and assist the government upon discovery of potential FCA violations, aid ongoing investigations, and take appropriate remedial actions in response to suspected misconduct.
While the FCPA and FCA programs similarly evaluate mitigating factors to assess the degree of cooperation, the FCPA offers cooperators the presumption of a declination. The FCPA policy creates a rebuttable presumption that an investigation will be resolved through the government’s decision not to bring criminal charges against a company that meets certain conditions. Amending the FCA cooperation credit program to allow for an FCPA-style presumption of a declination could limit FCA damages and penalties while encouraging contractors to voluntarily self-disclose cyber incidents. Providing an alternative option to FCA enforcement, without removing the statute’s enforcement capabilities, may further the government’s cybersecurity goals by increasing the incentives for—and ultimately—the instances of reporting.
1. Looking to the Foreign Corrupt Practices Act Corporate Enforcement Program
The DoJ’s Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) addresses corruption in violation of the FCPA and other corporate criminal matters. The DoJ has gradually expanded the incentives and application of the CEP over the past few years. In 2016, the DoJ established the FCPA Pilot Program to encourage corporations to voluntarily self-report criminal activity to address a long-standing barrier in uncovering corporate misconduct. Due to the success of voluntary self-reporting, the Criminal Division expanded the pilot program and applied the CEP to all criminal matters beginning in 2018. Finally, in 2023, the Criminal Division revised the CEP to further encourage companies to make early and voluntary self-disclosures of potential criminal violations.
Under the CEP, when a company voluntarily self-discloses misconduct to the Criminal Division, fully cooperates, and timely and appropriately remediates, “there will be a presumption that the company will receive a declination absent aggravating circumstances.” Additionally, “the company is required to pay all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue” to qualify for a declination. The policy further provides that if aggravating circumstances are present, the prosecutor may assess whether a declination is appropriate. The CEP ultimately leaves declination and credit determinations up to the prosecutor’s discretion, outlining various factors prosecutors may use to make declination determinations.
2. Amending the FCA Credit Program
As with the FCPA CEP, the DoJ’s FCA cooperation credit program allows prosecutors to evaluate the circumstances surrounding the reporting party’s cooperation to determine an appropriate credit award. Generally, all three types of cooperation—disclosure, cooperation, and remedial action—are required to earn maximum credit, but the Department of Justice Manual also allows for partial credit. The credit is primarily awarded in the form of reduced penalties or a decrease in the FCA multiplier for damages. The DoJ manual currently cannot offer cooperators a reduction that would prevent the government from recovering its total losses. Therefore, no degree of cooperation can completely immunize contractors from statutory FCA penalties or damages. Instead, the guidance allows for credits to apply in other ways, including notifying other government agencies about the cooperation for potential consideration in administrative actions, public acknowledgment of the cooperation, and assisting defendants in resolving qui tam relator litigation.
Similar to instances of corruption and other FCPA violations, the government currently faces challenges detecting cyber incidents that have affected the private sector or assessing companies’ cyber protections without voluntary reporting from the private sector. While FCPA programs address criminal violations, an incentive structure might equally apply to FCA actions, given the potential for severe monetary penalties and the impact on a contractor’s future ability to conduct business with the government. Severe monetary penalties give the impression of a punitive, adversarial approach rather than one encouraging partnership and equality.
The recent Verizon FCA settlement demonstrates that even voluntary reporting leads to damages despite a cooperation credit. Some practitioners claim the Verizon settlement is evidence of the DoJ’s success in encouraging companies to self-report. Verizon may have mitigated its exposure to suspension or debarment determinations by voluntarily disclosing, but it was still subjected to a $4.1 million dollar fine. When companies voluntarily report to regulators, it demonstrates good faith by saying “[l]ook, we did everything we could here, we properly investigated it, remediated it, and reported it.” “The Federal Government should ensure that entities covered by the cyber incident reporting requirements are not liable for good-faith efforts to comply with the reporting requirements and that entities are protected from liability based on the information contained in reporting requirements.” Extending the credit program further to allow for declinations could help offset the disincentives private companies face to voluntarily reporting cyber incidents.
V. Conclusion
The threat of cyberattacks is serious and growing. While the government is taking appropriate steps to bolster the nation’s overall cybersecurity, a patchwork of cyber regulations with differing requirements overly burdens government contractors. Instead of introducing individual cybersecurity reporting timeframes and further complicating a messy regulatory scheme, the government ought to consolidate preexisting frameworks. Likewise, the government should provide opportunities to good-faith contractors that promote fair and consistent enforcement actions by expanding the DoJ’s FCA cooperation credit program. Moving away from a penalty-only approach and finding a medium ground will better promote public-private partnerships. Overall, incentivized reporting can advance the cyber resiliency of government contractors and subsequently the private sector.
