Consulting companies to pay $11.3 million for not complying with cybersecurity requirements in federally funded contract

Monday, June 17, 2024Shareright caret

Guidehouse Inc., headquartered in McLean, Virginia, has paid $7,600,000 and Nan McKay and Associates (Nan McKay), headquartered in El Cajon, California, has paid $3,700,000 to resolve allegations that they violated the False Claims Act by failing to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.

In early 2021, Congress established the emergency rental assistance program (ERAP) to provide financial assistance to eligible low-income households to cover the costs of rent, rental arrears, utilities and other housing-related expenses during the COVID-19 pandemic. Participating governments were required to establish programs to distribute the federal funding to eligible tenants and landlords. In New York, the Office of Temporary and Disability Assistance (OTDA) was the state agency responsible for administering New York’s ERAP. In May 2021, Guidehouse and OTDA entered a contract under which Guidehouse, as the prime contractor, assumed responsibility for the New York ERAP, including for the ERAP technology and services provided to New Yorkers. Nan McKay, in turn, served as Guidehouse’s subcontractor and was responsible for delivering and maintaining the ERAP technology product used in New York to fill out and submit online applications requesting rental assistance (ERAP Application).

Guidehouse and Nan McKay shared responsibility for ensuring that the ERAP Application underwent cybersecurity testing in its pre-production environment before it was launched to the public. As part of the settlements announced today, Guidehouse and Nan McKay admitted that neither satisfied their obligation to complete the required pre-production cybersecurity testing. The state’s ERAP went live on June 1, 2021. Twelve hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet. Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the information security breach may have been detected and the incident prevented.

In addition, as part of its settlement, Guidehouse admitted that for a short time period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining OTDA’s permission, in violation of its contract.

For companies serving federal contracts, there are several key cybersecurity requirements they must adhere to:

NIST SP 800-171

Companies must comply with the security controls outlined in NIST Special Publication 800-171 for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. This includes implementing a set of “basic” security controls for information systems where CUI data transits or resides.

CMMC Certification

The Cybersecurity Maturity Model Certification (CMMC) will be a mandatory “go/no go” requirement for all Department of Defense contractors and subcontractors. It establishes a unified cybersecurity standard and certification process across the defense industrial base.

Section 889 Part B

This rule prohibits federal agencies from contracting with companies that use certain telecommunications equipment or services from companies like Huawei and ZTE, deemed a national security risk.

Proposed New FAR Rules

Two new proposed FAR rules would further standardize cybersecurity requirements for federal contractors:

  1. Standardizing Cybersecurity for Unclassified Federal Info Systems (FAR Case 2021-019)
  • Requires annual security assessments and cyber threat hunting for moderate/high risk systems
  • Mandates implementation of NIST security/privacy controls specified by agencies
  • Contractors must maintain a list of operational technology equipment locations
  1. Cyber Threat/Incident Reporting (FAR Case 2021-017)
  • Requires reporting cybersecurity incidents to CISA within 8 hours
  • Provides CISA, FBI, and agencies access to contractor personnel/systems after incidents
  • Mandates compliance with CISA Binding Operational Directives and FedRAMP for cloud services

The proposed rules aim to streamline requirements, improve compliance, and better secure federal information systems from cyber threats across the contractor community.

Jeffrey Newman is a whistleblower lawyer, whose firm represents whistleblowers in healthcare fraud cases under the False Claims Act (FCA) and also under the Securities and Exchange, FINCEN and CFTC whistleblower programs. He can be reached at or at 617-823-3217