I was stunned to learn that Aerojet, a division of Rocketdyne, set legal precedent three weeks ago in the Federal District Court for the Eastern District of California. The heart of the matter is an allegation that Aerojet made false claims regarding their DFARS compliance readiness. Their fault wasn’t so much that they were not compliant, but from the fact that they overstated their readiness.
This ruling goes far beyond Aerojet. It is my expectation, as well as many other experts’, that this is just the first in a large number of similar charges against other contractors. From my reading, it appears that a whistleblower (their former CTO), is at the heart of the charges being brought against Aerojet. That should send nervous shivers to a boatload of contractor executives. The scary part is that one of the managers presumably responsible for gaining compliance, is the one turning them in.
Now, just think of all those conversations you’ve had with your security team where you rejected their budgets and projects to bring compliance; those discussions and emails can come to haunt you. Upper management can certainly make the argument that the company cannot afford to make those investments currently, however, as I have privately said to one executive, “that is a hard argument to defend when you’ve recently bought a six-digit car and went on a five-digit vacation.” Think about how that will play out in a courtroom. While this is important, we will stay focused on the foundation of this case, which is overstating compliance.
Dave Cunningham, Business Technology Officer at Alvaka Networks, summarized the ruling and problem very concisely:
Highlights
- Complaint against Aerojet was brought by a terminated Director of Security.
- Even though Aerojet disclosed it was not fully compliant with DFARS 252.204.7012, it overstated how compliant it was.
- Government rejected Aerojet’s defense that it thought the government did not actually expect contractors to comply because:
- The regulation is so vague and fluid, and
- It continues to issue orders to contractors who are not fully compliant.
Lesson learned: Clients should play by the book and not exaggerate how compliant they are.
If you want to read a good analysis of the court ruling by a law firm, Miles & Stockbridge, you can click on it here – California District Court Issues First False Claims Act Decision Involving the DFARS Cybersecurity Rule
If you are concerned about your risk and readiness for DFARS 252.204-7012, then consider engaging Alvaka Networks for our NetSecure and DFARS services. A good place to start is with a quick assessment of where you are currently in your readiness efforts. From there, we will be able to build out a good plan, with clear representations laid out about your current posture.