US Government to Fine Government Contractors who Fail to Follow Required Cybersecurity Standards (Civil Cyber-Fraud Initiative)

October 14, 2021

On October 6, 2021, the U.S. Department of Justice (DOJ) said “it will go after federal contractors that fail to report cybersecurity incidents to the U.S. government.” (The Hill) Deputy Attorney General Lisa Monaco “said the initiative will allow the Justice Department to use its authorities under the False Claims Act to fine government contractors that ‘fail to follow required cybersecurity standards.’” (The Hill). “The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.” (

The Civil Cyber-Fraud Initiative “will hold accountable entities or individuals that put U.S. information or systems at risk by”:

  • knowingly providing deficient cybersecurity products or services,
  • knowingly misrepresenting their cybersecurity practices or protocols,
  • or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Cyber incident notification laws are nothing new but they are getting a lot more attention with the increase in cyber-attacks gaining national attention. Some Federal government agencies, such as the Department of Defense (DOD), have specific reporting requirements already in place – under the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

In July 2021, a bipartisan group of Senators also introduced the Cyber Incident Notification Act of 2021. This Act would require federal government agencies, federal contractors, and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident.

What should government contractors do now?

  • Determine what laws and regulations (local, state, and national) apply to your organization
  • Develop compliant policies and procedures that address incident reporting and other cybersecurity requirements
  • Enhance technical capabilities against cybersecurity intrusions
  • In the event of an incident, properly notify the proper authorities in a timely manner

In addition to the above, Aprio recommends the following actions to develop a robust cyber incident discovery and reporting process:

  • Continually evaluate network systems and physical security of the facility
  • Develop descriptions of controlled unclassified information (CUI) in possession of the organization
  • Develop and improve capabilities for rapid detection of threat to data and the systems they reside on
  • Develop procedures for incident response, documentation, retention, and audits
  • Develop cybersecurity awareness and training programs for employees and contractors
  • Identify and pre-determine resources for incident response activities
  • Maintain accurate and regularly updated contact information for customers, contractors, and employees involved in incident response
  • Prepare mitigation plans for incidents and/or breaches
  • Review policies and procedures

Got questions? Schedule a Consultation with an experienced Aprio advisor today.