Do you want to hear from the only attorney with False Claims Act experience specific to defense contracting and cybersecurity? Then register now for CMMC CON 2022 to listen in as attorney Gregory Thyberg discusses what is at stake for Defense Industrial Base (DIB) contractors that don’t meet compliance.
The Department of Defense (DOD) has long aimed to ensure contractors in the DIB comply with cybersecurity minimums as prescribed in Defense Federal Acquisition Regulation Supplement clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. To further ensure that companies are honest in their reporting of compliance with contractual cybersecurity requirements, the federal government instituted the Cybersecurity Maturity Model Certification (CMMC) program, and the Department of Justice (DoJ) doubled down with the Civic-Cyber Fraud Initiative last October.
The Initiative seeks to utilize the False Claims Act to pursue fraud cases in the DIB. One such case specific to DFARS cybersecurity compliance was underway before the Initiative had begun and recently concluded.
In 2015, Brian Markus sued his former employer, Aerojet Rocketdyne Holdings, Inc., under the False Claims Act. Markus, the company’s Chief Information Security Officer (CISO), refused to sign a document claiming Aerojet Rocketdyne had achieved compliance, instead writing an internal memo with concerns that they hadn’t met compliance requirements. He was laid off shortly after that.
At CMMC CON 2021, Markus and his attorney, Gregory Thyberg addressed the case and the importance of compliance for contractors in the DIB.
In early July, Aerojet Rocketdyne agreed to pay $9 million to resolve the case. Thyberg will return to CMMC CON 2022 to discuss the case and the law that was broken with CyberSheath Vice President of Security Services Carl Herberger.