Defense Contractors Are Silencing Their Cybersecurity Watchdogs

p Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 pp Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 ppThe US Department of Defenses implementation of a new cybersecurity framework the Cybersecurity Maturity Model Certification 20 or CMMC will require more than 300000 military contracting companies to improve their cybersecurity protections ppThese safeguards are critically important but it appears that more than half of military contractors are unprepared to meet these new requirements when phase 1 begins on Nov 10 ppOver the past several years we have seen that cybersecurity whistleblowers at defense contractors are increasingly willing to come forward Major companies including Raytheon and Aerojet Rocketdyne have already paid millions of dollars to the US Department of Justice to resolve cybersecurity fraud claims brought by whistleblowers under the federal False Claims Act In general whistleblowers bring such claims because their employer ignores or retaliates against them when they raise concerns internally ppIn my practice Ive seen a significant increase over the past year in the number of cybersecurity professionals facing retaliation for blowing the whistle internally on their employers cyber unpreparedness In my experience these professionals do not come to me for a payday or out of spite but rather because they believe that failing to meet these standards creates a serious liability risk for their employers and more importantly risks exposing our sensitive national security data to bad actorsppCMMC requirements Chief information security officers and other cybersecurity professionals are at the vanguard of ensuring CMMC compliance These experts bear the responsibility of identifying vulnerabilities designing remediation plans and advocating for the resources necessary to achieve certificationppImportantly the CMMC requirements were on their radar for a long time While the November implementation is an important milestone the journey toward these new CMMC requirements began much earlierppIn 2015 the National Institute of Standards and Technology established a detailed set of practices designed to protect sensitive but unclassified data that if compromised could harm national security In 2016 the Department of Defense made these best practices requirements for contractors handling this data While DOD initially permitted contractors to selfassess their own compliance without independent verification these assessments varied wildly in rigor and accuracy ppDOD set out to construct a system to ensure accountability which eventually resulted in the publication of CMMC 20 in 2021 In it the department laid out three levels of defense contractors with tiered verification processesincluding thirdparty and in some cases government auditsdepending on the sensitivity of the data the contractors handle While the final DOD rule specifying the November 10 date was set earlier this year companies have had years to prepare and ramp up their cybersecurity standardsppWhistleblowers face pushback Ive seen a dramatic uptick over the past year in retaliation claims brought by cybersecurity professionals The cause of this phenomenon appears straightforward These professionals know that time is short before a certified third party or the government is going to verify whether their selfreported cybersecurity compliance is accurate In their view the time to speak out is nowand in return they have faced consequencesppWhen cybersecurity professionals report noncompliance or refuse to sign off on inaccurate assessments they may deal with marginalization hostile work environments demotions and in some cases termination These actions create a chilling effect that undermines the goals of CMMC and makes our country less safeppFrom their companies perspectives achieving CMMC compliance can be costly It requires investments in new technologies personnel training and system architectures Companies facing these expenses may view professionals trying to safeguard national security data as obstacles to profitabilityppThe employees who raise these significant whistleblower claims often have strong legal protections against retaliation The Defense Contractor Whistleblower Protection Act specifically protects employees of defense contractors who report violations of laws or regulations relating to a DOD contract Moreover the federal False Claims Act and in certain circumstances the SarbanesOxley Act may also offer protections to an employee who reports knowing misrepresentations of cyber complianceppBeyond federal protections states such as California New York Virginia and New Jersey have enacted strong statutesin some cases stronger than the federal statutesprohibiting retaliation against employees who raise concerns about violations of lawppThe CMMC framework represents a promising evolution in protecting Americas defense industrial base from cyber threats Its success depends on protecting the professionals charged with its implementationppAs cybersecurity requirements continue to mature employers must recognize that investing in compliance is not merely a regulatory burden but a strategic imperative Professionals advocating for these investments deserve support not retaliationppDefense contractors should be on notice Those that retaliate against employees working to ensure cyber preparedness not only jeopardize our national security but expose themselves to significant legal liabilityppThis article does not necessarily reflect the opinion of Bloomberg Industry Group Inc the publisher of Bloomberg Law Bloomberg Tax and Bloomberg Government or its ownersppMatthew LaGarde is a whistleblower attorney and partner at Katz Banks Kumin and coauthor of the firms cybersecurity and data privacy whistleblower protections guideppWrite for Us Author GuidelinesppTo contact the editors responsible for this story Jada Chin at jchinbloombergindustrycom Jessica Estepa at jestepabloombergindustrycompp Bloomberg Law provides trusted coverage of current events enhanced with legal analysis pp Log in to keep reading or access research tools and resources p