On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA). The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.Continue Reading Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Nkechi Kanu
Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.
Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.
Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] Continue Reading Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
The Global Investigations Review Guide to Compliance
As the primary civil enforcement statute for investigating and remedying fraud in connection with United States government programs, the False Claims Act (FCA) has resulted in more than $75 billion in recoveries of government funds since 1986. The FCA imposes liability on any person or entity that knowingly submits false claims or certifications to the…
Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative
On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities: the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud. This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).Continue Reading Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative
No End “Insight” for DOJ’s Civil Cyber-Fraud Initiative
On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services. Although contracts with state agencies generally fall outside the FCA’s ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA’s scope. Continue Reading No End “Insight” for DOJ’s Civil Cyber-Fraud Initiative
“Miss Me with Rev. 3,” Says DoD: DoD Issues Class Deviation Linking DFARS 7012 to NIST SP 800-171, Rev. 2
On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012), specifying that contractors subject to the clause must comply with NIST SP 800-171, Revision 2. The deviation (labeled Deviation 2024-O0013) will delay the incorporation of NIST…
The Top FCA Developments of 2023
2023 brought many important False Claims Act developments for companies with business involving government funds. While overall recoveries remained down compared to pre-2022 levels, the total number of settlements and judgments exceeded any prior year. Those settlements and judgments also highlight areas of particular focus for the Government, including cybersecurity compliance, pandemic fraud, and small…
No Longer Cloudy: DoD Issues New Guidance on FedRAMP Moderate Equivalency Cloud Security Requirements
The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP) to be Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline “equivalent” and meet incident reporting requirements under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). The memorandum states, in order to be considered FedRAMP equivalent going forward, CSPs must (1) be FedRAMP Moderate/High-Authorized, or (2) secure a third-party assessment confirming their compliance with all FedRAMP Moderate baseline security controls.Continue Reading No Longer Cloudy: DoD Issues New Guidance on FedRAMP Moderate Equivalency Cloud Security Requirements
Special Edition of the Fastest 5 Minutes:
CMMC
This special edition covers DoD’s proposed rule for the Cybersecurity Maturity Model Certification Program, and is hosted by Peter Eyre, Michael Gruden, and Nkechi Kanu. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or…
DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule
On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.Continue Reading DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule