DOJ and Aerojet Settle for $9 Million in Qui Tam Cybersecurity False Claims Act Case | McGuireWoods LLP

On July 8, 2022, the U.S. Department of Justice announced a $9 million settlement with federal government contractor Aerojet Rocketdyne, Inc. for alleged violations of the False Claims Act (FCA) in a case pending in the Eastern District of California. The settlement results from alleged false statements by Aerojet related to compliance with Department of Defense cybersecurity requirements described in DoD Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and National Aeronautics and Space Administration Federal Acquisition Regulation Supplement (NFARS) clause 1852.204-76.

The settlement further underscores DOJ’s commitment to FCA enforcement actions involving cybersecurity considerations related to its Civil Cyber-Fraud Initiative announced in October 2021. To that end, the settlement serves as a clear reminder to contractors that DOJ and the plaintiffs’ qui tam bar are taking the Cyber-Fraud Initiative seriously and suggests that close understanding of and adherence to federal agency contractual cybersecurity requirements have become important mandates for the government contracting community broadly and the defense industrial base in particular.

In the Aerojet case, a relator, the former senior director of cybersecurity, compliance and controls at Aerojet, filed a whistleblower suit in October 2015 under the qui tam, or whistleblower, provisions of the FCA, alleging that Aerojet had misled the DoD and NASA about its cybersecurity compliance posture. Under the FCA, individuals may file suit against those who knowingly misrepresent themselves to the government by submitting false claims, records, or statements. See 31 U.S.C. §§ 3729(a)(1)(A) and (B). Here, the relator alleged that Aerojet failed to comply with the DFARS and NFARS clauses, which require the protection of controlled unclassified information (CUI) and other sensitive information, and knowingly made false statements to the contracting agencies concerning the nature and effectiveness of its compliance efforts. The relator alleged that, when he attempted to call attention to Aerojet’s failures, his employment was thereafter terminated.

In May 2019, a U.S. District Judge in the Eastern District of California denied Aerojet’s motion to dismiss the case, holding that Aerojet’s compliance with these cybersecurity clauses could be deemed material to the government's decision to award Aerojet government contracts and pay invoices thereunder. The decision was the first of its kind, preceding the settlement in the Comprehensive Health Services case, about which McGuireWoods reported in March 2022, and setting potential precedent for an FCA theory of liability based on allegations of a breach of contractual cybersecurity requirements. While DOJ announced this settlement in an April 27, 2022 court filing, the details remained sealed until last week. Out of the government’s $9 million settlement payment from Aerojet, the relator will receive a $2.61 million share. The settlement agreement also notes that, notwithstanding the settlement, Aerojet continues to deny having engaged in any unlawful action.

In furtherance of its Civil Cyber-Fraud Initiative, about which McGuireWoods first reported in October 2021, DOJ remains eager to announce victories in its efforts to bolster cybersecurity and combat cyber fraud. Federal government contractors should anticipate similar DOJ FCA enforcement suits surrounding cyber-related misrepresentations and violations. Contractors should also appreciate that this settlement and the associated $2.61 million relator’s share serve as encouragement to whistleblowers to file qui tam actions under the FCA for alleged cyber-related contractual violations. In cases such as the one involving Aerojet, the basis for liability is not necessarily failing to comply fully with the cybersecurity rules, but, rather, making false or reckless assertions about the state of a company’s compliance efforts, i.e., telling the contracting agency that the company is compliant when, in reality, it is not, or agreeing to incorporate certain requirements into a contract (e.g., DFARS 252.204-7012) when the company is neither meeting those requirements nor taking proactive actions to do so. The Aerojet settlement demonstrates that proactive compliance efforts, such as engaging with experts early to understand the specific requirements and methods to ensure compliance, can be critical to avoiding later enforcement or whistleblower actions.

This is an area that is also subject to recent increased regulatory scrutiny, as evidenced by DoD’s development of Cybersecurity Maturity Model Certification Program 2.0, which DoD is seeking to implement in RFPs within as early as the next 12 months. Additionally, the Federal Acquisition Regulation Council continues to consider a draft rule titled “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems,” which, if implemented, would standardize cybersecurity requirements within federal civilian agencies that do not have a clause equivalent to DFARS 252.204-7012.

Against this backdrop, federal government contractors must not only continue to bolster their cybersecurity compliance efforts, but also make sure that representations and statements to federal agencies concerning the company’s cybersecurity infrastructure and initiatives are accurate and complete.

The authors thank McGuireWoods summer associate Maura Bradley for assistance preparing this legal alert. She is not licensed to practice law.

Comments are closed.