Whistleblowers and CMMC Compliance: A Warning for DIB SMB Contractors

Booz Allen Hamilton Holding Corporation, headquartered in McLean, Virginia, has agreed to pay the United States $377,453,150 to resolve allegations that it violated the False Claims Act by improperly billing commercial and international costs to its government contracts. This settlement is one of the largest procurement fraud settlements in history.

The allegations involved improper billing practices where Booz Allen wrongly charged commercial and international costs to its government contracts. The government accused Booz Allen of wrongly assigning indirect commercial and international business costs to its government contracts and subcontracts.

This case serves as a reminder for Defense Industrial Base (DIB) Small and Medium-sized Business (SMB) Contractors and subcontractors on or embarking on their Cybersecurity Maturity Model Certification (CMMC) compliance journey. The Department of Defense (DoD) will require DIB contractors to implement specific cybersecurity protection standards and perform self-assessments or obtain third-party certification as a condition of contract award under the CMMC program. The program aims to protect sensitive unclassified information that the DoD shares with its contractors and subcontractors.

DIB SMB contractors and subcontractors need to start or continue their CMMC compliance journey under the advice of a litigation cybersecurity counsel. Thomas View, Temvi, LLC has experience representing clients in regulatory enforcement and civil litigation triggered by cybersecurity incidents.

The role of whistleblowers in the case of Booz Allen Hamilton was significant. A former team member, Sarah Feinberg, filed a whistleblower complaint under the qui tam provisions of the False Claims Act, alleging that Booz Allen had been overcharging the federal government by knowingly presenting false claims for reimbursement¹. The case settled for $377 million, with the whistleblower receiving nearly $70 million¹.

In the future, whistleblowers could play a significant role in DOD CMMC compliance audits of DIB SMB contractors and subcontractors. Similar to the evolution of HIPAA and the now-famous HIPAA Wall of Shame, a public listing that provides information about breaches affecting 500 or more individuals⁷, the DOD may do something similar to simplify and streamline enforcing CMMC compliance violations.

However, it is essential to note that there needs to be more information on whether or not the DOD plans to implement a similar system for CMMC compliance violations. We have yet to see how the DOD will enforce CMMC compliance and what role whistleblowers will play in this process. Whistleblowers could play a significant role in reporting non-compliance and helping ensure that contractors and subcontractors adhere to the required cybersecurity standards.

The Department of Defense (DoD) may leverage Certified Third-Party Assessment Organizations (C3PAOs) to conduct CMMC compliance audits, especially in whistleblower cases involving CMMC compliance violations. C3PAOs are critical to achieving CMMC 2.0 compliance. They evaluate an organization’s policies, processes, and controls against the CMMC requirements.

In summary, the Booz Allen Hamilton case sets a precedent for the DOD to enforce compliance with cybersecurity standards, especially for SMB contractors and subcontractors. These companies need to seek the advice of a litigation cybersecurity counsel such as Thomas View, Temvi, LLC to ensure compliance with the CMMC program and avoid potential legal consequences.

At eTrepid, we have a team of skilled cybersecurity and compliance experts fully equipped to assist you in achieving continuous compliance. We are passionate about compliance and would be more than happy to chat with you about it. Don't hesitate to give us a call for help!