Recently, the Department of Justice (DOJ) has pursued cyber related charges against government contractors under the False Claims Act (FCA). While the charges are not directly tied to CMMC, they address poor cyber hygiene, a failure to protect data properly, and misinformed and inaccurate disclosures.  

Now, as it becomes more apparent that CMMC is going to become a final rule by year-end, how do CMMC, SPRS (Supplier Performance Risk System ), and the FCA come together? 

Many defense contractors have been required to report their SPRS score for several years, and more companies will soon start having to do so as well. If the SPRS score is done correctly, it is a demanding undertaking of measuring an organization’s compliance with NIST 800-171 v2 (and all the objectives in NIST 800-171A). It forces an organization to undertake the rigor that CMMC will require as soon as it becomes law.  

Under CMMC, if your organization reported a SPRS score, but didn’t undertake that rigor, you could be potentially opening the organization up to a False Claims Act charge. A perfect score is 110. Perhaps you knew you weren’t perfect, so after a quick read of the scoring guide you reported your score as 83, clearly showing you need to improve. What happens when you hire a C3PAO (CMMC Third Party Assessor Organization) and they find you are at a 0, or a -37 score? How do you explain the difference to the government? (Spoiler: you cannot).

What if you have a reportable cyber event under the current cyber DFARS? How do you explain the controls you said were working and in place (via your inaccurate SPRS score) weren’t working or not in place on “that” system? (Spoiler: you cannot).

What if DIBAC chooses you for a random audit? At CohnReznick we have helped clients who have been selected for random audits.  What happens when they find out your controls are far worse than what was reported via SPRS? How do you explain this? (Spoiler: …you know the answer, you cannot)

You could have an employee decide they want to report their own organization as a whistleblower via the FCA. Maybe they’re disgruntled or maybe they feel it is their duty to improve the level of protection where they work. The employee's motivation is irrelevant, but the risk isn’t.

These are not hypothetical situations. They are happening to government contractors today.

Many organizations that haven’t taken the cyber DFARS seriously over the last decade are now facing a new risk as an impartial C3PAO comes into their organizations and reports the SPRS score through an independent verification and validation process. As the DOJ looks to focus on effective cyber hygiene, CMMC and SPRS will potentially provide easy prosecution targets.

What can you do?

Catch up on preparation now. Conduct a thorough and rigorous review of your environment, and correctly update your SPRS score. Listen to feedback and concerns from your employees – particularly those working in the IT organization – and show that you take employee concerns seriously which may mitigate whistleblower risk. Use an independent third-party to conduct the review and show that an independent firm agreed that your controls were proper. This also helps you to be ready for the pending CMMC approval and means your business will be ready to be certified, and not risk having to pass on contracts because you can’t meet the requirements.

How we can help 

CohnReznick is a Registered Provider Organization (RPO) and a C3PAO. We can help you understand the real state of your environment, including your SPRS score. We can assist you in closing your gaps and provide guidance on how to incorporate your External Service Providers and Cloud Service Providers.  

Our team has been directly engaged since the inception of the cyber DFARS. We helped shape CMMC.  We have helped clients successfully pass their DIBCAC audits. We have passed our own DIBCAC Audit.  Our team can explain the history while helping you with practical implementation and guide you into the future with the watchful eye of a CMMC Certified Assessor. We bring our real-world experience and C3PAO certifications together to help you achieve your mission.