By Frank Tanzola and Ken Chapman of IAT Surety, a member of IAT Insurance Group
Published April 7, 2022
Exposure under the False Claims Act extends to cybersecurity and American-made materials requirements. Businesses contracting with the government will need sharp focus on compliance requirements to avoid potentially costly fees, organizational distraction and litigation.
NOTE: This article should not be used as legal advice but merely recommendations for FCA compliance. All parties should consult legal counsel of their choice and seek expert advice on legal and compliance issues.
To combat fraud and ensure compliance with Federal Acquisition Regulations (FARs) and other applicable laws and regulations, the federal government has expanded its use of the False Claims Act (FCA).[1] The origins of the FCA go back to the Civil War when it was enacted to protect against fraud by suppliers to the Union Army.
Enforcement and recoveries under the FCA rose substantially after amendments were implemented in the 1980’s increasing protections and recoveries for whistleblowers, which are private parties pursuing claims under the FCA (known as “qui tam” actions).
The FCA provides for treble damages and fines assessed for each separate violation, and conduct violating the FCA carries potential criminal liability under other statutes. Since 1986[2], the Federal government has recovered over $35 billion in proceedings under the FCA. Recent changes in federal law, including in the areas of cybersecurity, non-discrimination compliance, and increased domestic materials requirements under the Buy American Act are expected to support this trend.
What does this mean for businesses and individuals who contract with the federal government?
For starters, it increases their exposure. Therefore, contractors and vendors must understand the myriad of government regulations and certifications associated with the contracts they enter into with the Federal government. Moreover, know that when state or municipal projects are wholly or partially federally funded, the FCA is applicable. Keep in mind that many states also employ their own FCA statutes; consequently, increasing the compliance bar.
Don’t allow a lack of oversight and potential noncompliance to cost you. Where FCA implications could be present, the following are some areas you need to know to protect yourself against an increasingly complex regulatory environment, violations of which are punishable under the FCA.
Cybersecurity
To protect the federal government from the growing threat of cyber breach, the Department of Justice recently instituted the Cyber-Fraud Initiative to increase government prosecution and encourage more whistleblowers to come forward in instances of violations of applicable cybersecurity standards by government contractors.[3] These standards are also applicable to third parties doing business with the government contractors and handling potentially sensitive information.
At the same time, the Department of Defense (DOD) attempted to lessen the contractor burden for cybersecurity requirements by allowing contractors to self-assess and self-attest their own cybersecurity compliance. However, with its Cybersecurity Maturity Model Certification 2.0, certification by an independent third party will be required going forward.[4] While this may appear burdensome to some contractors, self-assessments lack the clarity and weight of third-party certification, which opens contractors up to increased second-guessing from the government and whistleblowers and potential FCA lawsuits.[5]
Buy American
Executive Order 14005, “Ensuring the Future Is Made in All of America by All of America’s Workers,”[6] impacts all businesses that sell or supply products to the federal government or provide services to the federal government using sourced products.
In March 2022, a final rule was added to the requirements, tightening domestic preference policies to increase domestically sourced materials. Along with iron and steel, drywall, glass and plastic have been included in the materials requirements, stretching this requirement as far down the supply chain as possible.
The required domestic content threshold will incrementally increase over the next seven years, from 55% to 60% by October of 2022, 65% by 2024 and 75% by 2029.[7] Contractors working on multi-year projects are now required to monitor compliance with potentially increasing threshold requirements during the life cycle of a project, although contracting officers will have the discretion to continue the thresholds in effect at the time of contracting if complying products are not available or are too expensive to be practical. Further, international trade agreements exempt supply contracts over $183,000 and most construction contracts over $7.032 million from the Buy American Act requirements (however, all set aside contracts regardless of value are still subject to the BAA requirements).
More Power to Whistleblowers
While tightening requirements on contractors and other vendors, the government is also incentivizing private individuals to report cases of potential fraud.[8] Over the years, economic incentives for whistleblowers in the form of percentages of amounts recovered under FCA claims have gradually increased.
4 Best Practices to Help Protect Your Business
There are a lot of moving parts and boxes to check when it comes to ensuring government compliance. For small or minority-owned businesses, who are often favored in government contracts, the resources might not be readily available to deal with evolving standards. However, investing in the right resources could save your business in the long run against expensive investigatory fees and costs, potential fines and penalties, and even debarment from Federal government contracts. When initiating your compliance journey, consider following these best practices:
- Read your contracts and supporting documents and be aware of all the requirements you’re assuming responsibility for. Make sure you thoroughly understand the exposure of non-compliance.
- Dedicate one or more staff members to evaluate and monitor compliance. This person should review your contracts and overall organizational compliance with government FAR requirements and close all potential compliance gaps.
- Engage your surety agent, surety underwriter and attorney. Your business partners are your best assets. Use them. Be transparent with them. They can only help if they know what your requirements are and what requirements you meet.
- Document EVERYTHING. If the government takes issue with your compliance, you will need strong documentation that validates your compliance.
[1] The United States Department of Justice “The False Claims Act,” February 2, 2022.
[2] Practical Law “Understanding the False Claims Act,” 2015.
[3] The U.S. Department of Justice “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative,” October 6, 2021.
[4] Office of the Under Secretary of Defense “Securing the Defense Industrial Base CMMC 2.0.”
[5] Law360 “DOD’s Cybersecurity Overhaul Creates New FCA Risk,” November 5, 2021.
[6] The White House “Executive Order on Ensuring the Future Is Made in All of America by All of America’s Workers,” January 25, 2021.
[7] Crowell, “Administration Makes Good on Promise to Increase Domestic Content Requirements under the Buy American Act,” March 2022.
[8] Law360 “Biden’s Infrastructure Funding Comes With Strings Attached,” January 6, 2022.