CMMC Compliance and SPRS Reporting Risks

Federal contractors play a vital role in protecting sensitive government information. Contractors handling Controlled Unclassified Information (CUI) must assess their compliance and submit a corresponding Supplier Performance Risk System (SPRS) score to the Department of Defense (DOD). The Defense Federal Acquisition Rules Supplement requiring these actions has been in effect since 2018. The DOD created the Cybersecurity Maturity Model Certification (CMMC) to ensure contractors were accurately entering SPRS scores, even if the scores were low. The stakes for contractors are now even higher where compliance and accurate reporting are concerned.

The Department of Justice Civil Cyber-Fraud Initiative

The Department of Justice (DOJ) launched the Civil Cyber-Fraud Initiative in 2021. Deputy Attorney General Lisa O. Monaco states, “The Civil Cyber-Fraud Initiative will utilize the False Claims Act (FCA) to pursue cybersecurity related fraud by government contractors and grant recipients.” (https://www.justice.gov/archives/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative)

The False Claims Act (FCA) of 1863 (31 U.S. Code § 3729) was signed by President Abraham Lincoln, who was trying to crack down on fraudulent defense contractors. The FCA provides that any person who knowingly submits, or causes to submit, false claims to the government is liable for three times the government’s damages plus a penalty that is linked to inflation (DOJ 2023).

Misrepresenting a SPRS score may fall under the FCA and its penalties.

Even if a contractor intends to become fully compliant in the future, submitting a misleading score in the interim may still be considered a false claim if it influenced the government’s decision to award a contract.

The whistleblowers

A key component of the Civil Cyber-Fraud Initiative is an incentive for whistleblowers to come forward when they suspect their organization has misrepresented compliance.

Whistleblowers may report an organization’s actual SPRS score versus what was entered into the SPRS database. The SPRS score is used by the DOD to assess the cybersecurity risk posed by contractors and is expected to reflect a good-faith self-assessment. It’s in the interest of prime contractors as well as the DOD that reporting is accurate, as it reflects how well CUI is protected. The organization’s director or officer who signed the SPRS score may bear a civil and criminal penalty together with the company as a whole. This ensures the C-suite has a vested interest in CMMC compliance.

Too small for whistleblowers?

One may think the FCA only applies to large organizations, or perhaps the DOJ doesn’t have the time for small organizations, or that an organization is too small for a cybersecurity incident. CMMC was created as small organizations have become the preferred target for cyber criminals and nation state actors. In fact, 83% of all FCA claims are from whistleblowers (https://www.justice.gov/archives/opa/press-release/file/1233201/dl?inline=). Small businesses comprise 73% of all defense contractors (DOD Small Business Strategy, Jan 2023). Compliance is required at all levels, and the number of employees doesn’t matter.

What you should do

First, ensure you are compliant with CMMC. CMMC isn’t just an IT project and senior leadership must be involved and committed to the compliance journey. Second, report your score accurately. Third, make sure all employees know that voicing issues and concerns about cybersecurity is welcome. Finally, if your organization has questions or challenges around CMMC and compliance, reach out to a qualified member of the CMMC eco-system.

Questions?

Do you have any questions about CMMC, the FCA, and/or SPRS reporting? Feel free to contact me, and if you’re ready for your CMMC assessment, please consider scheduling time to talk about how Smithers can help.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.

https://calendly.com/robert-mcvay/defense-munitions-meeting-15-min

Smithers
https://www.smithers.com