Photo of Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.”  The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls.  The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor.  Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).

Continue Reading The Holidays Come Early: NIST Unwraps Final Draft Revision 3 to NIST SP 800-171

Civil-Cyber Fraud Initiative

In this episode, Jason Crawford, Nkechi Kanu, and Agustin Orozco discuss a recent settlement that underscores the DOJ’s increased use of the False Claims Act to enforce noncompliance with cybersecurity requirements. “Let’s Talk FCA” is Crowell & Moring’s podcast covering the latest developments with the False Claims Act.

ListenCrowell.com |

Almost a decade after the Department of Defense developed rules requiring mandatory reporting of cyber incidents, on October 3, 2023, the Federal Acquisition Regulation (FAR) Council released new proposed rules—one addressing cyber incident reporting and another addressing cybersecurity requirements for contractors maintaining a Federal Information System (FIS).  When enacted, these rules could implement new security measures and incident reporting requirements via FAR clauses for contractors across the entire federal government.  The “Cyber Threat and Incident Reporting and Information Sharing” proposed rule focuses on increasing the sharing of information about cyber threats between government and private industry, while the “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” proposed rule focuses on implementing policies, procedures, and requirements for contractors maintaining an FIS.  These rules implement Biden Administration initiatives pursuant to Executive Order (“EO”) 14028, “Improving the Nation’s Cybersecurity” issued in May 2021. 

Continue Reading FAR Council’s Cyber Harvest: New Incident Reporting and Federal Information System Requirements Await Government Contractors

A False Claims Act (FCA) settlement recently announced by the U.S. Department of Justice stands at the intersection of two evolving trends:  DOJ’s increasing focus on cybersecurity lapses by government contractors as part of its Civil Cyber-Fraud Initiative, and DOJ policies incentivizing corporations to voluntarily self-disclose violations of federal law.

On September 5, 2023, DOJ announced a $4 million settlement with Verizon Business Network Services LLC (Verizon) addressing allegations that Verizon violated the FCA because certain telecommunications services it provided to federal agencies under its General Services Administration (GSA) contracts did not comply with applicable cybersecurity requirements, namely the Office of Management and Budget’s Trusted Internet Connections (TIC) initiative.  DOJ specifically alleged that Verizon’s Managed Trusted Internet Protocol Service (MTIPS)—an information technology service that allows federal agencies to securely connect to public internet and external networks—did not comply with three security controls in the Department of Homeland Security’s TIC Reference Architecture Document, including a control that required the use of FIPS 140-2 validated cryptography.  The Verizon settlement represents the latest example of DOJ’s continued focus on cybersecurity cases, a trend that we believe will only continue to escalate going forward.

Continue Reading Civil Cyber-Fraud Settlement Highlights Potential for Cooperation Credit

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.

The new clauses aim to improve privacy and security measures around CUI by introducing: (1) general CUI handling requirements; (2) authority to operate (ATO) requirements for federal information systems; (3) incident reporting requirements and activities; and (4) sanitization of government related files and information. These new clauses move DHS away from the use of DHS-defined sensitive information and toward the government-wide CUI model. 

Continue Reading Homeland Cybersecurity: DHS Overhauls Its CUI Program, Releases New Contract Clauses

On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments:

2022 was a busy year for the False Claims Act.  While recoveries were down, new cases reached a record mark, and settlements addressed multiple important and developing enforcement areas, from cybersecurity to small business fraud, bid rigging, Trade Agreements Act compliance, pandemic fraud, and more.  Of particular note, the U.S. Supreme Court held argument concerning

2021 was another busy year in False Claims Act enforcement and litigation. Significant decisions were issued across the circuits, spanning government dismissal authority, materiality, scienter, Rule 9(b) pleading standards, the Eighth Amendment’s Excessive Fines Clause, and more. The year also saw proposed amendments introduced by Senator Chuck Grassley aimed at strengthening the statute and overruling

Like many other aspects of the legal landscape, 2020 was defined by COVID-19 and emerging areas of exposure and enforcement to come related to pandemic relief funding. But 2020 also saw many other important FCA developments, from case law developments on materiality, causation, pleading requirements, bars to qui tam actions, and the government’s authority to

Fresh off the heels of the DFARS Interim Rule, the Department of Defense (DoD) released Assessment Guides for Levels 1 – 3 of the Cybersecurity Maturity Model Certification (CMMC). These Guides will be used by Certified Assessors to determine whether contractors have satisfied the practices and processes required to attain CMMC certifications at