Ed. note: This is the second article in a two-part series about a heightened need for vigilance by companies around the cybersecurity of their supply chains in light of recent activity around the False Claims Act (FCA). Part one addressed the legal landscape of the FCA as related to cyber risk and government supply chains and part two will address proactive steps that companies can take to reduce their FCA threat profile.
The False Claims Act or FCA (31 U.S.C. §§ 3729 – 3733) was enacted by Congress in 1863 in response to concerns about the sale of fraudulent goods to the Union Army. Today, the FCA is implicated if a company’s products or services introduce potential cybersecurity risks for requisitioning government agencies and those risks are not properly addressed when raised.
This craggy terrain calls for increased vigilance by companies selling hardware and software to government entities. “Business leaders should think carefully about what it means to managing the security supply chain and to manage your security towards outcomes,” remarked Chris Johnson, Global Compliance Lead for Google Cloud at CyberTalks, presented by CyberScoop in Washington, D.C., on October 24, 2019.
While companies like Nisos (disclosure: I work here) help assess supply chain vulnerabilities by performing attack simulations, vulnerability assessments, and threat investigations, it is imperative that companies adopt internal best practices to stay out of the crosshairs of the FCA. “Strong, proactive steps are the first lines of defense of your business from the whistleblower claims,” according to Chris Brewster, Administrative Counsel of the House of Representatives.
The Best Defense is a Strong Offense
The following are recommendations from National Institute of Standards and Technology and other industry experts on how to create a defensible perimeter around a corporate supply chain:
- Get clear on government requirements: Before entering into a contract, government contractors should scrutinize and document cybersecurity requirements and assess the company’s ability to comply with those requirements, according to DLA Piper. Negotiate the terms of the contract carefully and ensure that language describing compliance activities, employee training, and data protection procedures accurately reflects company practices.
- Command and control third-party software and components: Be prescriptive about security requirements associated with third-party wares in all contracts. Once a vendor is accepted in the formal supply chain, open up discussions about vulnerabilities and security gaps software when possible and unpack, inspect, and x-ray parts before definitively accepting them.
- Make security inextricable: Establish a secure software development lifecycle process for all software. Implement training for all engineers and employees in charge of supply chain cybersecurity and bake awareness and compliance into the overall employee experience. According to the Compliance Resource Center, organizations should educate employees on state law requirements pertaining to civil or criminal FCA penalties, whistleblower rights, and internal requirements for preventing, detecting, and reporting fraud waste and abuse. “By conducting employee training that emphasizes compliance and encouraging early internal reporting of potential issues before they ripen into FCA claims, companies can significantly reduce their threat profile,” advises Brewster.
- Increase automation: When possible, automate manufacturing and testing regimes to reduce the risk of human error.
- Document and track risk: Document activities and controls related to cybersecurity, such as operational assessments, analyses regarding whether the company possesses information that requires protection, and any correspondence with the government regarding exceptions, waivers, or applicability of cybersecurity requirements, according to DLA Piper.
- Open the lines of communication: Establish a transparent culture where potential whistleblowers are taken seriously. Ensure that managers and HR are prepared to receive and respond to insider concerns before insiders take their concerns to regulators or lawyers.
- Demonstrate diligence in HR documentation: Executives and managers should be on guard for disgruntled employees who may have incentives to commit fraud in order to make false whistleblower accusations after termination. While individuals who commit fraud as a whistleblower are barred from recovery for their own fraud, the cost and feat of proving the fraud are often high hurdles for a business. Mitigate against this potential threat by documenting employee performance, negative reviews, and reasons for termination. Establishing a protective backdrop in this manner can help refute allegations that the employee was terminated as retaliation for trying to prevent a false claim from being reported to the government.
- Establish a ”security handshake” for software and hardware: Secure booting processes should look for authentication codes and the system should not boot if codes are not recognized. Programs should capture “as built” component identity data for each assembly and automatically link the component identity data to sourcing information.
- Procure legacy support for products and platforms: Assure a continuous supply of authorized IP and parts to maintain continuity over systems. When legacy systems no longer have adequate support options, consider the vulnerabilities posed by the inability to patch or remediate.
- Limit access by third-party service vendors: Limit software access to as few vendors as possible. Limit hardware vendors’ physical access to mechanical systems and restrict access to control systems. Implement strong controls around physical access including maintenance of visitor logs and on-site supervision of vendors.
Recent FCA cases mark the increased vigilance required of government contractors, especially around cybersecurity requirements in supply chains. Implementing front-end measures like strong compliance programs, proper vetting of contract requirements, documenting HR issues, and limiting vendor access can substantially lower your company’s risk profile. Equally important is the need to adopt a culture of compliance which attends to insider concerns before they evolve into FCA claims and send companies down the slippery slope of litigation.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at firstname.lastname@example.org.