Propulsion and power systems manufacturer Aerojet Rocketdyne to pay $9 million to settle False Claims Act allegations of violations of compliance and cybersecurity requirements for Government contracts

Aerojet Rocketdyne Inc., has agreed to pay $9 million to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts, the Justice Department announced today. Aerojet provides propulsion and power systems for launch vehicles, missiles and satellites and other space vehicles to the Department of Defense, NASA and other federal agencies. 

The settlement resolves a lawsuit filed and litigated by former Aerojet employee Brian Markus against Aerojet under the qui tam or whistleblower provisions of the False Claims Act, which permit a private party (known as a relator) to file a lawsuit on behalf of the United States and receive a portion of any recovery. Mr. Markus and Aerojet reached a settlement of the case on the second day of trial. Mr. Markus will receive $2.61 million as his share of the False Claims Act recovery. 

On Oct. 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report.

Currently, DFARS 252.204-7012 contains the tougher requirements. DFARS 252.204-7012 is required to be included in all government contracts with DoD, except for contracts solely for the acquisition of commercial off-the-shelf items. As a result, DoD construction contracts should contain DFARS 252.204-7012. DFARS 252.204-7012 imposes security and cyber incident reporting requirements on DoD contractors who have access to covered defense information (CDI). CDI is unclassified controlled technical information or other information that requires safeguarding or dissemination controls as described in the National Archives and Records Administration’s CUI Registry. Examples of potential CDI include engineering data, engineering drawings, and specifications. DoD contractors were supposed to have implemented the requirements of DFARS 252.204-7012 by December 31, 2017.

A requirement of DFARS 252.204-7012 is for the contractor to have adequate security to protect CDI residing on or transiting the contractor’s information systems. Adequate security is based primarily on the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST 800-171 has 110 security controls with which DoD contractors must comply. The security controls address such things as access control, awareness and training, incident response, personnel security, and physical protection. In addition to having adequate security, DFARS 252.204-7012 also requires DoD contractors to rapidly report cyber incidents to DoD when the contractor discovers a cyber incident that affects: (1) a contractor information system that processes, stores, or transmits federal contract information; (2) CDI residing in the contractor’s information system; or (3) the contractor’s ability to perform operationally critical support requirements of the contract. Cyber incidents are actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. In addition to rapidly reporting, the contractor has to conduct a review for evidence of compromise of CDI.