September 6, 2022
Aerojet Rocketdyne, Inc. (Aerojet) agreed to pay $9 million to settle a False Claims Act (FCA) case filed by a cybersecurity whistleblower. This is the largest FCA cybersecurity settlement since the Civil Cyber-Fraud Initiative was launched by the DOJ in October 2021. The Aerojet settlement is encouraging for cybersecurity whistleblowers and may, in fact, prompt more to come forward. It highlights the potential liability for making false claims to government entities about cybersecurity controls.
Aerojet develops and manufactures products for aerospace and defense industry clients including the DoD and NASA. Defense contracts are subject to Federal Acquisition Regulations that require safeguarding unclassified, controlled technical information from cybersecurity threats. Similarly, contracts with NASA require compliance with relevant NASA acquisition regulations. These regulations set forth the required security for systems storing sensitive, but unclassified, information belonging to the federal government.
Aerojet’s former senior director of cybersecurity, compliance and control, Brian Markus, filed the FCA case in 2015. Markus alleged that Aerojet did not meet the minimum cybersecurity requirements set out in the DoD and NASA’s regulations for contractors, despite claiming to the contrary in certifications to the government. He further claimed that the government contracts were awarded to Aerojet based on these false statements.
After Markus refused to sign cybersecurity compliance documents, he raised the issue internally to Aerojet. Later the same year, he was fired. He subsequently filed the FCA case. Although the government declined to intervene in the whistleblower’s case, it did file a statement of interest in favor of several of the whistleblower’s arguments. According to the DOJ’s press release, the settlement happened on the second day of trial. The whistleblower will receive an award of $2.61 million.
Cyber-fraud attacks targeting government programs and operations has increased exponentially in recent years. As we previously reported, the DOJ launched the Civil Cyber-Fraud Initiative in an attempt to encourage more cybersecurity whistleblowers to come forward.
The initiative provides accountability for putting U.S. information or systems at risk by knowingly 1) providing deficient cybersecurity products or services; 2) misrepresenting cybersecurity practices or protocols; or, 3) violating obligations to monitor and report cybersecurity incidents and breaches.
[W]e will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.
– Deputy Attorney General Lisa O. Monaco
If you are aware that a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, we urge you to contact us. Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information. We can discuss your concerns in a confidential and secure setting. We can also advise you on the best options to prevent critical information and data from falling into the wrong hands.