Defense Contractors Are Silencing Their Cybersecurity Watchdogs

The US Department of Defense’s implementation of a new cybersecurity framework, the Cybersecurity Maturity Model Certification 2.0 or CMMC, will require more than 300,000 military contracting companies to improve their cybersecurity protections.

These safeguards are critically important, but it appears that more than half of military contractors are unprepared to meet these new requirements when phase 1 begins on Nov. 10.

Over the past several years, we have seen that cybersecurity whistleblowers at defense contractors are increasingly willing to come forward. Major companies, including Raytheon and Aerojet Rocketdyne, have already paid millions of dollars to the US Department of Justice to resolve cybersecurity fraud claims brought by whistleblowers under the federal False Claims Act. In general, whistleblowers bring such claims because their employer ignores or retaliates against them when they raise concerns internally.

In my practice, I’ve seen a significant increase over the past year in the number of cybersecurity professionals facing retaliation for blowing the whistle internally on their employer’s cyber unpreparedness. In my experience, these professionals do not come to me for a payday or out of spite, but rather, because they believe that failing to meet these standards creates a serious liability risk for their employers and, more importantly, risks exposing our sensitive national security data to bad actors.

CMMC requirements. Chief information security officers and other cybersecurity professionals are at the vanguard of ensuring CMMC compliance. These experts bear the responsibility of identifying vulnerabilities, designing remediation plans, and advocating for the resources necessary to achieve certification.

Importantly, the CMMC requirements were on their radar for a long time. While the November implementation is an important milestone, the journey toward these new CMMC requirements began much earlier.

In 2015, the National Institute of Standards and Technology established a detailed set of practices designed to protect sensitive but unclassified data that, if compromised, could harm national security. In 2016, the Department of Defense made these best practices requirements for contractors handling this data. While DOD initially permitted contractors to “self-assess” their own compliance, without independent verification, these assessments varied wildly in rigor and accuracy.

DOD set out to construct a system to ensure accountability, which eventually resulted in the publication of CMMC 2.0 in 2021. In it, the department laid out three levels of defense contractors with tiered verification processes—including third-party and in some cases government audits—depending on the sensitivity of the data the contractors handle. While the final DOD rule specifying the November 10 date was set earlier this year, companies have had years to prepare and ramp up their cybersecurity standards.

Whistleblowers face pushback. I’ve seen a dramatic uptick over the past year in retaliation claims brought by cybersecurity professionals. The cause of this phenomenon appears straightforward: These professionals know that time is short before a certified third party or the government is going to verify whether their self-reported cybersecurity compliance is accurate. In their view, the time to speak out is now—and in return, they have faced consequences.

When cybersecurity professionals report non-compliance or refuse to sign off on inaccurate assessments, they may deal with marginalization, hostile work environments, demotions, and in some cases, termination. These actions create a chilling effect that undermines the goals of CMMC and makes our country less safe.

From their companies’ perspectives, achieving CMMC compliance can be costly. It requires investments in new technologies, personnel training, and system architectures. Companies facing these expenses may view professionals trying to safeguard national security data as obstacles to profitability.

The employees who raise these significant whistleblower claims often have strong legal protections against retaliation. The Defense Contractor Whistleblower Protection Act specifically protects employees of defense contractors who report violations of laws or regulations relating to a DOD contract. Moreover, the federal False Claims Act and, in certain circumstances, the Sarbanes-Oxley Act may also offer protections to an employee who reports knowing misrepresentations of cyber compliance.

Beyond federal protections, states such as California, New York, Virginia, and New Jersey have enacted strong statutes—in some cases, stronger than the federal statutes—prohibiting retaliation against employees who raise concerns about violations of law.

The CMMC framework represents a promising evolution in protecting America’s defense industrial base from cyber threats. Its success depends on protecting the professionals charged with its implementation.

As cybersecurity requirements continue to mature, employers must recognize that investing in compliance is not merely a regulatory burden but a strategic imperative. Professionals advocating for these investments deserve support, not retaliation.

Defense contractors should be on notice: Those that retaliate against employees working to ensure cyber preparedness not only jeopardize our national security but expose themselves to significant legal liability.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Matthew LaGarde is a whistleblower attorney and partner at Katz Banks Kumin and co-author of the firm’s cybersecurity and data privacy whistleblower protections guide.

Write for Us: Author Guidelines