Press Release, Jelly Bean Communications Design and its Manager Settle False Claims Act Liability for Cybersecurity Failures on Florida Medicaid Enrollment Website (March 14, 2023), available at https://www.justice.gov/opa/pr/jelly-bean-communications-design-and-its-manager-settle-false-claims-act-liability.5United States ex rel. Matthew Decker v. Pennsylvania State University, No. 2:22-cv-03895-PD (E.D. Pa. January 1, 2023).6 This is a self-attestation of compliance rather than an official audit procedure.7Id. at 14.8 Dept. of Justice, Press Release, Cooperating Federal Contractor Resolves Liability for Alleged False Claims Caused by Failure to Fully Implement Cybersecurity Controls (September 5, 2023) available at https://www.justice.gov/opa/pr/cooperating-federal-contractor-resolves-liability-alleged-false-claims-caused-failure-fully.9Id.10Id.11Id.12 Federal Acquisition Regulation: Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, Proposed Rule, 88 FR 68402 (October 3, 2023) [hereinafter “Proposed Rule 1”].13 Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing, Proposed Rule, 88 FR 68055 (October 3, 2023) [hereinafter “Proposed Rule 2”].14 Proposed Rule 1 at 7; Proposed Rule 2 at 4.

to compliance with the new cybersecurity obligations.Also significant are the Government’s affirmative statements in both rules that compliance with these cybersecurity and incident reporting requirements is “material to eligibility and payment under Government contracts.” This language is purposeful and designed to make clear that violation of either proposed rule could lead to False Claims Act liability. It also is notable that, under both proposed rules, the FAR Council solicits specific inputs from industry. The multiple requests for comments suggest there remains room to shape the final version of these rules. Government Contractors are advised to take this opportunity to weigh in on the potential business and economic impact of the proposed obligations. Comments on both proposed rules are due on December 4, 2023.Proposed Standardizing Cybersecurity Requirements RuleThe first proposed rule is “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems.” 88 FR 68402 (FAR Case No. 2021-019). If implemented, the proposed rule would revise the FAR to standardize contractual cybersecurity requirements across federal agencies. The requirements will apply to all “Federal information systems” (FIS), which, as defined by the proposed rule, include both agency and contractor information systems. As detailed below, the proposed rule reflects a potential sea change in the requirements federal agencies impose on contractors and the way they manage cybersecurity under their Government contracts.BackgroundThe proposed rule is intended to implement the portion of Executive Order (E.O.) 14028, “Improving the Nation’s Cybersecurity” (May 12, 2021), that directs the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with DoD, the National Security Agency (NSA), and other federal agencies, to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or cont