Cybersecurity Enforcement Escalates With Criminal Charges Against Federal Contractor Executive

In a client alert from attorneys at the Parker Poe firm, the US Department of Justice’s (DOJ) expanding cybersecurity enforcement posture is illustrated by a newly announced criminal fraud indictment tied to alleged misrepresentations of government cybersecurity compliance. The authors explain that the December 10 indictment reflects the DOJ’s continued focus on holding federal contractors and individuals within those organizations accountable for the accuracy of cybersecurity representations made in connection with government contracts.

According to the client alert, the indictment targets a senior manager at a government cloud services contractor accused of defrauding federal agencies and obstructing audits. Prosecutors allege that the individual knowingly misrepresented the security capabilities of the company’s cloud platform to meet contract requirements that demanded higher levels of protection than the platform could actually support. Federal agencies allegedly relied on these statements when awarding contracts and subcontracts valued in the hundreds of millions of dollars.

The alert notes that the allegations center on materially false or misleading submissions to auditors and authorizing officials. These submissions allegedly concealed failures to implement required controls under the Federal Risk and Authorization Management Program and the Department of Defense’s Risk Management Framework, despite internal and third-party warnings about noncompliance. The authors emphasize that DOJ views adherence to these cybersecurity frameworks as critical to federal procurement decisions.

The authors conclude that this case underscores several compliance lessons for contractors. Beyond the well-established risk of civil liability under the False Claims Act, DOJ has demonstrated a willingness to pursue criminal charges against individuals involved in cybersecurity compliance failures. 

In an environment of increased cybersecurity enforcement, it is crucial to implement and fully document cybersecurity controls. This must be coupled with strong internal governance structures that ensure truthful disclosures, effective escalation of concerns, and consistent oversight of all representations made to the government.