The US Dept. of Defense, through its representative Katie Arrington, has repeatedly threatened the Defense Industrial Base (DIB) companies with “False Claims Act” (FCA) prosecutions if they eventually do not comply with the demand to obtain CMMC certification. To that end, Arrington and others have started peppering public appearances with calls for whistleblowers to help inform the DoD when DIB companies fail to comply. Using what are known as qui tam (“kee-tam” or, in posh circles, “kwee tahm”) lawsuits, whistleblowers can rake in huge court rewards for revealing FCA violations by companies they may work for.
While the criticality of the US’ cybersecurity backbone is critical to national security, and companies eventually bidding on contracts that require CMMC certification should not make such bids unless they intend to comply, the DoD’s claims on False Claims Act prosecutions are, ironically, a bit false in themselves.
First, remember that Arrington and the DoD have repeatedly claimed the DIB is comprised of 300,000 companies, and most agree that number is highly inflated. Nevertheless, Arrington has then boldly claimed that CMMC would extend beyond a mandate by the Dept. of Defense, and eventually be flowed down to every single company selling anything to the US government, to any agency, anywhere. At this point. Arrington is planning to push CMMC onto millions of companies, each of which would then be subject to FCA lawsuits if they fail to comply. And the penalties for losing such suits can be serious, typically resulting in massive fines, but even leading to potential criminal charges if fraud is proven.
But let’s limit the number to 300,000, dismissing Arrington’s other claims as the wishful fantasies of an overcaffeinated salesperson. Can the DoD literally prosecute 300,000 FCA cases?
The answer is clear: of course not.
Right now a single FCA case, Markus v Aerojet Rocketdyne, is making its way through the courts. That case tightly mirrors what will arise from CMMC-related FCA cases, as the plaintiffs allege the defense contractor Aerojet violated its cybersecurity requirements for NIT 800 compliance, in violation of a contract with the Dept. of Defense. The case was filed in Federal court in 2017, but arose from an earlier finding in a prior court. Dozens of filings later, the case is not scheduled for trial into 2021, with a result not likely to emerge until 2022 or later. This means a single FCA case prosecuted by the government will have taken five years from start to finish. Making matters worse, the most recent filings suggest the court is taking a sympathetic stance with the defendants, meaning that the final ruling may not even find the defendant guilty of an FCA violation at all.
So keep those dates in mind, as we move forward.
In a qui tam suit, a whistleblower raises the suit on behalf of the Federal government and can receive a portion of any monies collected as a result, thus helping to recruit whistleblowers to help identify fraudsters. Another portion of FCA cases arise directly from the government — without a whistleblower — and are called non qui tam cases. All such cases are managed by the Dept. of Justice, not the Dept. of Defense.
In 2018, the DoJ published data showing that in that year, it had filed 122 non qui tam cases, and 645 qui tam cases, for a total of 767 FCA cases. The DoJ then reported it collected a total of about $1B in penalties, fines and settlement awards. What the DoJ does not reveal, however, is how that $1B was divided amongst the cases reported, and whether all 767 cases were litigated. The court docket suggests this was unlikely, and that the $1B came from a handful of large settlements from a portion of the 767 FCA cases, and that many of the cases were never pursued at all.
Which is why the Markus v Aerojet case is getting so much attention. It’s rare.
Now we go back to the threats of the DoD and Arrington, saying it intends on holding 300,000 companies to the threat of FCA litigation if they do not comply. Then consider Arrington’s claim that the CMMC program will largely be rolled out within five years.
Let’s assume that CMMC achieves a remarkable 90% penetration and that only 10% of the DIB don’t play along, but are still under government contracts and represent legitimate FCA violators. That brings the total potential FCA cases related to CMMC to 30,000, who — if Arrington’s threats are to be believed — would be referred to the DoJ for prosecution.
Now remember, again, Markus v Aerojet. If that single case required five years of the court’s time to litigate, then the DoD intends on clogging the District Court’s docket with a flood of an additional 150,000 years of court time.
Obviously, that’s not how courts work, and cases would run in parallel. But still, the cases would have to be litigated at the District Court level, where dockets are (a) typically backlogged and (b) worsened by a compounded backlog due to COVID.
Next consider that the majority of the 767 cases filed in 2018 were not even defense-related, but instead healthcare-related. So whatever flood of cases the DoD intends on creating would be in addition to the number of cases the DoJ is already struggling to litigate.
If the DoJ is already struggling to process 767 cases in a single year, how would it handle 30,000 cases? Even if that were spread over five years, it would still push an additional 6,000 cases per year onto an already overwhelmed docket.
What is more likely to happen is the approach currently taken by the DoD when it comes to enforcing ITAR, the International Traffic in Arms Regulation. For ITAR violators, the DoJ typically picks a company every year or so to make an example of, and hits them with a massive fine and a public shaming. In 2019, for example, it was the tiny machine shop Darling Industries, which was hit with a $400,000 fine. And this was after Darling had self-reported its ITAR lapses, in an attempt to do the right thing. No good deed goes unpunished.
The intent here is to frighten others into compliance. The result is dubious at best, since many companies pursue and sign government contracts, or have them flowed down to them, and ignore ITAR anyway. The law is largely unenforced.
So for CMMC FCA cases, the DoD is only likely to refer a tiny handful of cases to the DoJ for non qui tam suits. Then, some qui tam whistleblowers may report a few dozen out of the 300,000 DIB companies, if Arrington is lucky. The government will then engage in “prioritizing” these cases, determining which ones would have the most effect on the DIB to improve compliance through the assessment of fines and publish shaming by press release. not every qui tam suit makes the grade to full-on litigation.
Thus, the reality is that the DoD will not prosecute any FCA claims, because that’s not its job. The DoJ does this, and they are — at most — likely to process a tiny handful of CMMC related cases per year. Those coming from the qui tam whistleblowers that Arrington is courting are likely to be from disgruntled employees who want to make some quick cash sniping their former employers; this likelihood goes up of those same employees join (or form) a company that competes with their prior one.
I want to be very clear here: if your company is signing up for a DoD contract that requires CMMC, and you intentionally intend to violate that requirement, you deserve whatever penalty comes your way. My arguments herein should not be misconstrued as charting a course that allows noncompliance. Even if the government “prioritizes” cases, and even if you think you can beat the odds and not get caught up in the FCA net, you shouldn’t be operating a company on those kinds of ethical lapses. If you get arrested or sued into extinction, you deserve it.
But at the same time, the statements made by Arrington and her ilk are disingenuous at best, and should be tempered. Arrington has put her own personal success and sense of self-worth on the line for the CMMC program. The exaggerations by her and her team are done more for politics and self-advancement, — and to bully the DIB into adopting CMMC, since her attempts to win hearts and minds isn’t working — and as a result, are dangerous for DIB companies who need accurate information.
So the truth will be that (a) yes, you must comply with any DFARS or government contract clause you sign up for, and (b) no, the DoD cannot physically carry out the threats of FCA litigations to the scale they are claiming. The DOD should be using far different tactics than FUD to make its case for CMMC.
You will have to decide where your company lands on the truth that resides between these two realities.
NOTE: The DoJ recently released the 2020 figures for its FCA cases, and the numbers only went up slightly: 250 non qui tam suits, and 672 qui tam suits, for a total of 922.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.