Whistleblowing and CMMC: The Explosive Aerojet Rocketdyne Case and Its Crucial Impact on Compliance

In today’s digital age, cybersecurity compliance is paramount, especially for companies involved in federal contracts with the Department of Defense (DoD). Adhering to the Cybersecurity Maturity Model Certification (CMMC) requirements ensures that sensitive information remains secure, safeguarding national security interests. However, not all companies meet these stringent standards, leading to significant legal and financial consequences. This was the case for Aerojet Rocketdyne Holdings, Inc. (Aerojet), which faced a lawsuit filed by former Senior Director of Cyber Security, Brian Markus, over allegations of fraudulent statements regarding their compliance with cybersecurity requirements. This blog post delves into the details of the case, the court’s response to Aerojet’s defenses, and the broader implications for the industry.

Background Information

Brian Markus’ Role

Brian Markus served as the Senior Director of Cyber Security, Compliance, and Controls at Aerojet from June 2014 to September 2015. In this role, Markus was responsible for ensuring that Aerojet adhered to the cybersecurity regulations required for contracts with federal agencies, including NASA and the DoD. His responsibilities included overseeing the implementation of cybersecurity measures, ensuring compliance with relevant regulations, and maintaining the integrity of the company’s cybersecurity practices.

During his tenure, Markus’s primary focus was to ensure that Aerojet’s cybersecurity posture met the necessary standards to protect sensitive information. This included conducting regular audits, implementing security protocols, and training employees on best practices. His role was crucial in maintaining Aerojet’s reputation and trust with federal agencies, emphasizing the importance of compliance in securing high-stakes contracts.

Noncompliance Discovery

Shortly after starting his job, Markus discovered that Aerojet was not compliant with the Federal Acquisition Regulation (FAR) requirements for NASA contracts (48 CFR § 1852.204-76) and the Defense Federal Acquisition Regulation Supplement (DFARS) for DoD contracts (48 CFR § 252.204-7012). These regulations mandate specific cybersecurity measures to protect controlled unclassified information (CUI) and other sensitive data. Markus found that Aerojet’s cybersecurity controls were inadequate and did not meet these stringent requirements.

The discovery was alarming as it meant that Aerojet was potentially putting national security at risk by not adequately protecting sensitive information. Markus identified several areas where Aerojet fell short, including insufficient encryption protocols, lack of regular security assessments, and inadequate incident response plans. These shortcomings posed significant risks, as any breach could lead to unauthorized access to critical data, potentially compromising national defense systems.

Initial Actions

In light of this discovery, Markus refused to sign documents that falsely claimed Aerojet was compliant with the necessary regulations. He reported his findings to Aerojet’s ethics hotline and filed an internal report, hoping that the company would take corrective actions. Instead, Markus was terminated two months later, allegedly in retaliation for his refusal to sign the compliance documents and his reporting of the noncompliance.

Markus’s decision to report the noncompliance internally was driven by a sense of duty to uphold ethical standards and protect national security. His termination raised serious concerns about Aerojet’s commitment to cybersecurity and compliance. Markus’s actions exemplify the critical role that employees play in identifying and addressing compliance issues, highlighting the importance of creating a culture where whistleblowers are protected and their concerns are taken seriously.

Legal Proceedings

Termination and Lawsuit

Following his termination, Markus filed a qui tam lawsuit under the False Claims Act (FCA). The FCA allows private individuals, known as relators, to file lawsuits on behalf of the United States against companies that are defrauding the government. In such cases, the relator can receive a portion of any recovered damages. Markus’s lawsuit alleged that Aerojet had knowingly submitted fraudulent statements about their cybersecurity compliance to secure contracts with NASA and the DoD.

The lawsuit brought significant attention to the issue of cybersecurity compliance in federal contracting. By filing under the FCA, Markus aimed to hold Aerojet accountable for its actions and recover funds that were awarded based on false claims of compliance. The case underscored the potential for substantial financial and reputational damage that companies can face if they fail to adhere to cybersecurity standards.

Aerojet’s Defense

In response to the lawsuit, Aerojet sought to have the case dismissed, arguing that the alleged violations were not material to the government’s decision to award contracts. Aerojet’s defense comprised four main sub-arguments, each aiming to undermine the materiality of the noncompliance.

  1. 1. Disclosure of Noncompliance

Aerojet argued that they had disclosed their noncompliance to NASA and the DoD, and despite this, the government agencies continued to award contracts and issue payments. They claimed that this indicated the noncompliance was not material. However, the court rejected this argument, noting that Markus had provided sufficient evidence that Aerojet had not fully disclosed the extent of their noncompliance. The court asserted that had the government been fully aware of the noncompliance, they might not have awarded the contracts. The proximity of a company’s compliance with cybersecurity requirements is a critical factor in the government’s decision-making process.

This argument highlights the importance of transparency and full disclosure in compliance reporting. Even partial disclosure of noncompliance can lead to severe consequences if the full extent of the issues is not communicated. Companies must ensure that they provide complete and accurate information to maintain trust and avoid legal repercussions.

  1. 2. Materiality of Cybersecurity Requirements

Aerojet contended that cybersecurity requirements were not central to the contracts, which primarily focused on missile defense and rocket engine technology. They argued that the noncompliance with cybersecurity standards did not significantly impact their ability to fulfill the contract’s main objectives. The court, however, rejected this claim, emphasizing that the regulations require specific cybersecurity measures to be in place before a contractor can handle technical information. Therefore, failing to implement these measures could directly affect Aerojet’s capability to perform the contracted work.

The court’s rejection of this argument underscores the integral role of cybersecurity in modern defense contracts. Cybersecurity measures are not just peripheral requirements but essential components that ensure the security and integrity of the work being performed. Noncompliance with these requirements can undermine a contractor’s ability to deliver on their obligations, posing risks to national security.

  1. 3. Government’s Position on Noncompliance

Another argument made by Aerojet was that the government itself did not find the noncompliance material. They pointed out that the Department of Justice (DoJ) did not intervene in the case, and both the DoD and NASA continued to contract with Aerojet despite being aware of the issues. The court dismissed this argument, stating that the government’s decision not to act did not reflect on the merits of the False Claims Act case. The court highlighted that there could be various reasons for the DoJ’s non-intervention, unrelated to the validity of the claims.

This argument sheds light on the complexities of government decision-making in response to compliance issues. The decision not to intervene in a specific case does not necessarily indicate a lack of concern or relevance but can be influenced by multiple factors, including resource allocation and strategic priorities. Contractors should not interpret non-intervention as an endorsement of their practices.

  1. 4. Historical Tolerance of Noncompliance

Finally, Aerojet argued that the DoD’s historical tolerance of noncompliance with cybersecurity regulations indicated that they never expected full technical compliance. They claimed that the DoD’s repeated amendments to acquisition cybersecurity regulations demonstrated this tolerance. However, the court rejected this argument, stating that Aerojet failed to provide sufficient evidence of another instance where a government contractor had been paid despite noncompliance to the same extent. The court emphasized that such historical tolerance did not absolve Aerojet from its obligation to comply with the regulations.

This argument highlights the challenges companies face in interpreting regulatory expectations. Even if there has been historical tolerance for certain noncompliance issues, this does not provide a blanket exemption from current regulations. Companies must continuously strive to meet evolving standards and should not rely on past leniencies as a justification for present noncompliance.

Settlement and Implications

Settlement Details

After prolonged legal battles, Aerojet agreed to pay $9 million to settle the allegations under the False Claims Act. This settlement resolved the lawsuit filed by Markus, who will receive $2.61 million as his share of the recovery. The settlement underscores the importance of cybersecurity compliance and the significant financial consequences of noncompliance.

The substantial settlement amount reflects the seriousness with which the government views cybersecurity compliance. It serves as a warning to other contractors about the potential costs of failing to adhere to cybersecurity requirements. The financial penalty, combined with the negative publicity, can have long-lasting impacts on a company’s reputation and business prospects.

Statements from Officials

Brian M. Boynton, Principal Deputy Assistant Attorney General, highlighted the crucial role whistleblowers play in identifying and addressing cybersecurity failures and misconduct. He stated,

“Whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct.” Similarly, U.S. Attorney Phillip A. Talbert for the Eastern District of California commended Markus’s actions, stating, “The qui tam action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act.”

These statements emphasize the value that whistleblowers bring to the enforcement of cybersecurity standards. By coming forward with their knowledge and expertise, whistleblowers help ensure that companies are held accountable for their actions. This recognition reinforces the need for strong whistleblower protections and encourages others to report noncompliance without fear of retaliation.

Civil Cyber-Fraud Initiative

In October 2021, the Deputy Attorney General announced the Department of Justice’s Civil Cyber-Fraud Initiative. This initiative aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices, or violating obligations to monitor and report cybersecurity incidents. The Aerojet case serves as a prominent example of the types of misconduct the initiative seeks to address.

The Civil Cyber-Fraud Initiative represents a significant step forward in the government’s efforts to combat cybersecurity threats. By focusing on fraud related to cybersecurity, the initiative aims to protect sensitive information and ensure that companies adhere to high standards. This proactive approach signals to contractors that cybersecurity compliance is non-negotiable and that any attempts to circumvent these requirements will be met with serious consequences.

Analysis and Implications for the Industry

Impact on Contractors

The Aerojet case has significant implications for government contractors, particularly those involved in defense and aerospace sectors. It highlights the importance of adhering to CMMC compliance and other cybersecurity requirements to avoid legal and financial repercussions. Contractors must ensure that their cybersecurity measures are robust and fully compliant with federal regulations to maintain their eligibility for government contracts.

This case serves as a wake-up call for contractors to reassess their cybersecurity practices and ensure that they meet all regulatory requirements. Noncompliance can result in severe penalties, loss of contracts, and damage to reputation. Contractors should invest in comprehensive cybersecurity programs, conduct regular audits, and implement continuous monitoring to stay ahead of potential threats.

Role of Whistleblowers

The case also underscores the vital role that whistleblowers play in enforcing cybersecurity standards. Employees with insider knowledge and technical expertise can identify and report noncompliance, helping to maintain the integrity of federal contracting processes. Companies must foster a culture of transparency and encourage employees to speak up about potential issues without fear of retaliation.

Creating an environment where employees feel safe to report noncompliance is crucial for maintaining high standards of cybersecurity. Companies should implement robust whistleblower policies, provide training on ethical practices, and ensure that there are clear channels for reporting concerns. Protecting whistleblowers not only helps in identifying issues early but also demonstrates a company’s commitment to integrity and accountability.

Future of Cybersecurity Compliance

As the Department of Defense and other federal agencies continue to emphasize the importance of cybersecurity, contractors can expect increased scrutiny of their compliance practices. The Civil Cyber-Fraud Initiative and similar efforts signal a shift towards more rigorous enforcement of cybersecurity standards. Contractors must stay abreast of evolving regulations and ensure that their cybersecurity practices meet the required standards to avoid future legal challenges.

The future of cybersecurity compliance will likely involve more stringent requirements and closer monitoring by federal agencies. Contractors should be prepared for regular audits and assessments, and they must demonstrate a proactive approach to managing cybersecurity risks. Staying informed about regulatory changes and investing in advanced cybersecurity technologies will be essential for maintaining compliance and securing government contracts.

Conclusion

The case of Brian Markus and Aerojet Rocketdyne Holdings, Inc. serves as a stark reminder of the critical importance of cybersecurity compliance in federal contracts. The significant financial settlement and the court’s rejection of Aerojet’s defenses highlight the serious consequences of noncompliance. For contractors, this case underscores the necessity of adhering to CMMC requirements and other cybersecurity regulations to maintain their eligibility for government contracts and avoid costly legal battles.

By fostering a culture of transparency and compliance, and recognizing the valuable role of whistleblowers, companies can ensure that they meet the high standards required for federal contracts. As cybersecurity threats continue to evolve, maintaining robust cybersecurity measures and adhering to regulatory requirements will be crucial for the success and integrity of federal contracting processes.

Follow us on our Linkedin page: https://www.linkedin.com/company/dod-cmmc/

Catch up on in-depth explanation of CMMC 2.0: https://dod-cmmc.com/cmmc-2-0-program/

Scroll to Top