A few weeks ago, we discussed two recent cyber-related False Claims Act (FCA) cases. One of those cases is a qui tam lawsuit against Penn State and, as of the date of our article, we were waiting to see if DOJ would opt to intervene in the case on behalf of the United States.
On September 29, 2023, DOJ notified the Court that the United States “is not intervening at this time.” Although any number of reasons could be driving the United States’ decision, the declination is not entirely surprising given the complexity and uncertainty surrounding federal cybersecurity compliance. For example, although DoD contractors are required to report a self-assessment score (out of 110) in DoD’s Supplier Performance Risk System (SPRS), there currently is no existing requirement that contractors attain any particular compliance score and DoD’s Cybersecurity Maturity Model Certification (CMMC) program, which will implement new requirements for cybersecurity compliantce, has not yet been finalized. As such, satisfying all elements of the FCA (including materiality) in this case appears tenuous. Of course, as usual, the language of the declination (i.e., “at this time”) leaves open the possibility that the United States may opt to intervene at a future date.