DoD Uses False Claims Act to Stop 800-171 Contractor Fraud

Turnkey CMMC Program

Turnkey Cybersecurity and Privacy Programs

As part of the CMMC roll-out, DoD subcontractors must now audit their cybersecurity and post scores and PoAM info to the Supplier Performance Risk System.

Everyone has known for years that many contractors were fraudulently declaring compliance with the 800-171 requirement. But the feds are now enforcing 800-171 with the False Claims Act.”
— Ray Hutchins
DENVER, CO, UNITED STATES, October 5, 2020 / -- Department of Defense (DoD) contractors have been required (by law) to be 100% compliant with the NIST SP 800-171 regulation since December 2017 and contractors have been "self-certifying" their compliance with that requirement.

Unfortunately, since these self-certifications are totally voluntary, most are worthless and even fraudulent. Thus the DoD has been forced to implement the Cybersecurity Maturity Model Certification (CMMC) program which requires contractors to have their cybersecurity programs certified by a third party before they can be awarded any DoD contracts. But the sheer enormity of the U.S. Defense Industrial Base (DIB) and the complexity of cybersecurity means that it will take up to 5 years to fully implement the CMMC. Therefore over the last 18 months, the Defense Contract Management Agency (DCMA) has been auditing contractors for NIST SP 800-171 compliance.

And according to Katie Arrington, CISO DoD Acquisition Office, about 80% of those contractors audited have failed the audit. That's a lot of fraud.

But what is truly different (and most significant) about this particular audit process is that all contractors now must post their cybersecurity audit scores to the DoD Supplier Performance Risk System (SPRS) portal for all agencies to view. And not only do contractors have to post their cybersecurity audit scores, they must also post the date that they intend to be 100% NIST SP 800-171 compliant based on a written plan of action with milestones (PoAM).

And the Department of Justice is using the enhanced False Claims Act to crack down on contractors who are exposed as fraudulently claiming that their security practices meet 800-171 requirements. The Department of Justice recovered $3B in 2019 using the False Claims Act as its hammer.

"It's about time," says Ray Hutchins, partner at Turnkey Cybersecurity and Privacy Solutions LLC (TCPS). "Everyone has known for years that many contractors were "self-incriminating" and fraudulently declaring compliance with 800-171 requirement. But the feds are now enforcing 800-171 with the False Claims Act. That should get people's attention."

NOTE: This new audit process is not a replacement for CMMC, but it should help light a fire under contractors to move more quickly towards ultimate CMMC compliance. There are more details related to this DCMA audit process. If you are interested, please contact Mitch Tanenbaum (contact details below).

"It's great to see that the DoD is taking this interim step to improve contractor cybersecurity programs while the CMMC is being rolled out," says Mitch Tanenbaum, partner at TCPS. "The cybersecurity community watches the US and our allies losing hundreds of billions in cash and intellectual property EVERY YEAR. We are truly engaged in a monumental cyber war and as these losses pile up, we fear the long term implications for our way of life."

It seems that Tanenbaum and Hutchins know something about the subject matter. They are the founders and operators of two cybersecurity companies: CyberCecurity LLC and Turnkey Cybersecurity and Privacy Solutions LLC (TCPS). Both of these companies have been engaged in supporting the 800-171 and CMMC efforts.

TCPS is the first and (so far) the ONLY company to offer "turnkey" cybersecurity and privacy programs to small to medium-sized companies. These are comprehensive, pre-engineered and professionally supported cybersecurity and privacy programs that have been designed for companies that don't have the IT and cybersecurity resources to develop, deploy and maintain programs on their own.

"We know exactly how hard it is for a company to build and maintain a professional cybersecurity program. We have been helping companies do it for years," Tanenbaum says. "None of us have any choice. Our capitalistic system operates on top of an IT infrastructure which is inherently insecure. The sooner we quit fooling around and protect it, the safer we'll all be."

The only way for a company to tackle cybersecurity is to deploy, maintain, and document professional cybersecurity programs. TCPS's turnkey programs are by far the most cost-effective and fastest-to-deploy cybersecurity option for small to medium-sized companies. They help companies reduce risk and increase competitiveness.

"It takes years to develop cybersecurity programs that include all the processes, content, and support required," Hutchins says. "We have done it (and are still doing it), but we have no illusions about our capability to scale and deploy our products to the extent required to protect our country. We welcome any opportunities to share what we have built with others who can help expedite the deployment and support of cybersecurity programs of this kind."

For more information, please contact:

Mitch Tanenbaum
Turnkey Cybersecurity & Privacy Solutions, LLC
+1 720-891-1663
email us here
Visit us on social media:

Mitch Tanenbaum discusses NIST SP 800-171 vs CMMC