The year 2022 is shaping up to be a pivotal one for thwarting the growing number of cybersecurity threats in the United States. On March 15, President Biden signed into law the “Strengthening American Cybersecurity Act.” The three-bill bipartisan package requires certain entities to report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It also requires entities to report ransomware payments to CISA within 24 hours.
Once in effect, the new law will considerably expand the opportunities for whistleblowers to assist the federal government with addressing potential False Claims Act (FCA) violations that may arise as a result.
Stemming from an idea that has languished for years with lawmakers amid industry pushback, this measure is a step toward the right direction to combat cyberattacks. In addition, the growing number of catastrophic cyberattacks in recent years, including the May 2021 attack on Colonial Pipeline, as well as the looming threat of Russian cyberattacks, further highlights the need for stronger cybersecurity governance.
While it is too early to determine the full effects of the law amidst the developing cybersecurity landscape, the role of whistleblowers in the industry is more critical than ever.
Who Are the “Covered Entities” Under This Legislation?
Pending forthcoming rules and regulations to clearly define who is required to do what, whistleblowers should pay close attention to the actors that the new legislation targets. As the new law is written, “covered entities” are broadly defined to include the 16 critical infrastructure sectors listed in the Presidential Policy Directive 21.
The sectors are as follows:
- Commercial facilities
- Critical manufacturing
- Defense industrial base
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, materials, and waste
- Transportation systems
- Water and wastewater systems
Whether an entity falls under a certain sector will depend on whether “the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
What Constitutes “Covered Cyber Incidents?”
Whistleblowers should also take note of the types of incidents that the new legislation seeks to identify and detect.
At a minimum, “covered cyber incidents” under the new law are those that:
- Result in a “substantial loss of confidentiality, integrity, or availability” of information, or a “serious impact on the safety and resiliency of operational systems and processes”
- Cause a “disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”
- Involve “unauthorized access or disruption of business or industrial operations” due to a “compromise of a cloud service provider”
Calling on Whistleblowers in the Wake of the New Legislation
Leveraging the FCA to blow the whistle against companies that fail to comply with federal cybersecurity procurement regulations is nothing new. Cloud Service Providers with government contracts to provide cloud-based platform, infrastructure, application, or storage services have always been required to comply with the Federal Risk and Authorization Program (FedRAMP).
The government’s FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Among other things, FedRAMP requires the providers to implement proper monitoring devices to detect and promptly report cybersecurity incidents.
FedRAMP authorization is required for all cloud service providers that store and process government data. Government contractors are subject to FedRAMP authorizations, and the failure to abide by these rules could constitute a material violation of the FCA.
In addition, government contractors and subcontractors procuring products and services to the Department of Defense are also required to follow the regulations promulgated by the National Institute of Standards and Technology 800 series (NIST 800).
Government contracts for security products and software solutions present a list of relevant software security clauses, which are material provisions in the contract that the government relies on to ensure product security. Non-compliance with NIST regulations is also an FCA violation.
The new law puts real teeth and enforcement into what already exists. Whistleblowers with inside information should act now for the losses that the government and taxpayers incurred (and will continue to incur) when entities fail to satisfy their cybersecurity obligations.
Accordingly, whistleblowers could consider the following
- Determine the Key Bad Players: This includesowners of critical infrastructure operations that fall under the “covered entities” sectors listed above, cloud service providers, and government contractors and subcontractors.
- Assess the Types of Wrongdoing: Common examples of wrongdoing include: failing to comply with the cybersecurity standards in the government contract; failing to report suspected cyber breaches in a timely manner; avoiding obligation to obtain FedRAMP authorization; and misrepresenting and omitting information necessary for the government to make informed decisions about purchasing cloud-based products.
Our Whistleblower Team Will Advocate for You
At Sanford Heisler Sharp our team of highly skilled lawyers knows what it takes to help whistleblowers expose wrongdoing and recover substantial awards. If you have any questions or concerns about the cybersecurity policies implemented at your company, then please don’t hesitate to get in touch with our firm so we can take a look at your case and explain all of your options under the law.