New DOD Rule May Encourage More Whistleblowing

technewsworld.com Cybersecurity, IT Leadership, Tech Law, Uncategorized

A new rule by the U.S. Department of Defense (DOD) aimed at beefing up cybersecurity at contractors doing business with the agency could spawn more whistleblowers in the military-industrial complex.

The rule, set to take effect Nov. 10, governs the agency’s Cybersecurity Maturity Model Certification (CMMC) Program, which verifies that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.

It is largely a response to a series of reports by the DOD’s Inspector General from 2018 to 2023, which consistently found that the department’s contract officials failed to establish processes to verify that contractors complied with selected federal cybersecurity requirements for controlled unclassified information as required by the National Institute of Standards and Technology (NIST).

With the new rule, the CMMC program introduces an annual affirmation requirement, a key element for monitoring and enforcing accountability of a company’s cybersecurity status.

“At a very basic level, the new CMMC Clause Rule increases the risks that a defense contractor will make a false claim to the government, which is the foundation of False Claims Act liability, by falsely certifying compliance with the rule’s increased requirements,” explained Mary Inman, a partner with Whistleblower Partners, a law firm in San Francisco.

“With heightened risk of False Claims Act liability also comes increased opportunities for whistleblowers to alert the government to such transgressions and receive a financial reward,” she told TechNewsWorld.

Non-Compliance Harder To Conceal

In her Cyber Business Daily newsletter, Kate Fazzini noted that the new CMMC requirements will make cybersecurity compliance and certification explicit terms in many Department of Defense contracts.

“Misrepresentations — whether intentional or negligent — about assessments, controls, or maintaining a ‘current status’ will be more easily pursued under the False Claims Act and related statutes,” she wrote. “Contractors who allow lapses in compliance, or misstate their readiness, will face heightened legal exposure — particularly if government investigators or whistleblowers bring those failures to light.”

“The changes to CMMC will make compliance failures harder to conceal and more costly to ignore,” she added. “Cyber controls will no longer be only about defense but long-term viability in a market where insiders have both the means and the motivation to speak out.”

The CMMC rule creates new incentives for cyber whistleblowing by establishing concrete compliance standards that make violations more identifiable and reportable, transforming vague security expectations into specific, measurable requirements that employees can clearly recognize when breached, observed Frank Balonis, CISO and senior vice president of operations at Kiteworks, a provider of a secure platform for exchanging private data, based in San Mateo, Calif.

“With mandatory third-party assessments and potential False Claims Act liability for contractors who misrepresent their cybersecurity posture on federal contracts, insiders now have stronger legal protections and financial motivations to report non-compliance — particularly given that whistleblowers can receive up to 30% of recovered damages in qui tam cases,” he told TechNewsWorld.

Qui tam lawsuits, authorized under the federal False Claims Act, allow a private individual to sue on behalf of the U.S. government to expose fraud involving federal programs or contracts.

“The rule’s emphasis on continuous monitoring and documentation creates extensive paper trails that make it easier for employees to substantiate claims of inadequate security practices or fraudulent certifications, while the high stakes of losing federal contracts incentivize companies to cut corners, creating more opportunities for observant employees to witness and report violations,” he said.

“This combination of clearer standards, stronger legal frameworks, and significant financial consequences transforms cybersecurity compliance from an abstract concept into a concrete area ripe for whistleblower activity,” he added.

Compliance Obligations Built Into Contracts

Dale Hoak, the CISO at RegScale, a compliance automation software company in McLean, Va., argued that if an organization is doing the right thing and can prove it, whistleblowing isn’t a strategic risk.

“Where it could come into play is if internal concerns are raised but ignored,” he told TechNewsWorld. “In that case, employees may feel compelled to escalate externally. The healthier path is to treat internal reporting seriously, so it rarely has to go outside the organization.”

While the new compliance requirements aim to deter adversaries from targeting defense contractors, they could make them more attractive to cybercriminals.

“Just as cybercriminals like Black Cat/ALPHV ransomware group filed SEC reports when victims failed to report cyberattacks, cybercriminal whistleblowers have one more way to threaten organizations that may have thought they met requirements but negligently and accidentally misrepresented their current status,” maintained Karen Walsh, CEO of Allegro Solutions, a cybersecurity consulting company in West Hartford, Conn.

“With the False Claims Act and related statutes being incorporated into this version of CMMC requirements, we see again a burden placed upon smaller contractors,” she told TechNewsWorld.

“CMMC has always and will always place the greatest burdens on small and mid-sized contractors,” she said.

For example, she recalled the early days of the CMMC in 2021, when the training materials noted that contracts would be held to the Christian Doctrine, established in G.L. Christian & Associates v. United States. “This unique contract law doctrine reads compliance requirements into a contract even when not expressly included, holding the contractor responsible for assuming compliance even if the DOD or upstream contractor fails to include it,” she explained.

Inadequacy of Self-Attestation

Nevertheless, Brian Kirk, senior manager for information assurance and cybersecurity at Cherry Bekaert, an accounting and consulting firm headquartered in Raleigh, N.C., argued that the new CMMC rule is necessary to strengthen the cybersecurity posture of the Defense Industrial Base.

“Previous efforts, like requiring compliance with NIST SP 800-171, relied heavily on self-attestation, which proved insufficient,” he told TechNewsWorld. NIST SP 800-171 outlines the security requirements for protecting Controlled Unclassified Information in nonfederal systems and organizations — especially those working with the U.S. government.

“Many contractors failed to implement required controls, leaving sensitive Controlled Unclassified Information vulnerable,” Kirk explained. “CMMC introduces third-party assessments and structured accountability to ensure that contractors handling CUI are actually meeting the required cybersecurity standards.”

“With the Pentagon finalizing the CMMC rule, the program is officially moving from policy to enforceable requirements, and this has major implications for the channel,” added Andy Black, co-founder and CEO of Kovr.ai, a company focused on automating cyber compliance for cloud and hybrid environments, in Reston, Va.

“Resellers, managed service providers, and other partners supporting defense contractors now need to ensure their solutions meet CMMC standards, as contractors are increasingly required to flow these requirements through their supply chains,” he told TechNewsWorld.

John Ackerly, CEO and co-founder of Virtru, a provider of encryption and access control tools, in Washington, D.C., explained that CMMC 2.0 has been years in the making — streamlined from five levels to three, adjusted to reduce burden on small businesses, and refined through countless comment periods.

“The organizations that come out on top will be those who secured their CUI first with effective, low-time-to-value solutions, then augmented from there,” he told TechNewsWorld. “When contracts start including CMMC requirements, ‘we’re working on it’ won’t be enough.”

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Related Posts

Researchers Mount Vishing Attacks With Real-Time Voice Cloning

technewsworld.com

Cybersecurity researchers revealed Tuesday how artificial intelligence can be used to clone a person’s voice in real time to mount voice phishing attacks on unsuspecting organizations. Researchers from the NCC Group noted in a company blog that they launched attacks using real-time voice cloning against real organizations and successfully recovered sensitive and confidential information. “Not…

 Read more

A New Era: Nvidia and Intel’s Alliance for AI PCs and Cloud AI

technewsworld.com

The technology landscape is no stranger to strategic alliances, but few carry the potential to redefine an entire industry as profoundly as the newly announced collaboration between Nvidia and Intel. This historic collaboration, centered on AI-powered consumer PCs and cloud infrastructure, will send ripples through the market, challenging established dynamics and accelerating the arrival of…

 Read more

Corvus Indoor Drones Solve Inventory Challenges Faster, at Lower Cost

technewsworld.com

Corvus Robotics’ innovative storage tracking system uses fully autonomous drones to take warehouse inventory control to new heights. The Corvus One Autonomous Inventory Management System provides warehouse managers with a bird’s-eye view, enabling them to oversee up-to-the-minute reports on product locations and resolve discrepancies in real time. The deployments follow four years of challenging development.…

 Read more