An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.

Earlier this month, the Department of Justice (DOJ) announced that Swiss Automation Inc., an Illinois-based precision machining company, agreed to pay $421,234 to resolve allegations that it violated the False Claims Act (FCA) by inadequately protecting technical drawings for parts delivered to Department of Defense (DoD) prime contractors.  This settlement reflects DOJ's persistent emphasis on cybersecurity compliance across all levels of the defense industrial base, reaching beyond prime contractors to encompass subcontractors and smaller suppliers.  The settlement is also a reminder to all contractors not to overlook the often confusing relationship between Controlled Unclassified Information (CUI) and export-controlled information.

Background and Allegations

Swiss Automation is an Illinois-based precision machining business that manufactures alloy and metal components for commercial and government clients across multiple industries.  The enforcement action stems from a qui tam lawsuit filed on August 16, 2022, by a former quality-control manager at Swiss Automation, in the United States District Court for the Northern District of Illinois, captioned United States ex rel. Gomez v. Swiss Automation, Inc., Civil Action No. 22-C-4328.

The relator’s complaint predominately focuses on Swiss Automation’s alleged violations of the International Traffic in Arms Regulations (ITAR).  Specifically, it alleged that the company manufactures numerous defense articles subject to the ITAR for prime contractors and that the company knowingly submitted invoices containing false certifications of ITAR compliance despite awareness of compliance deficiencies.  The complaint detailed multiple alleged violations, including:

• • Failing to adequately safeguard ITAR-controlled articles and technical data, including blueprints and machining diagrams;
  • Allowing numerous “foreign persons” access to ITAR-controlled technical data without securing an applicable ITAR authorization (e.g., an applicable license, agreement, or exemption);
  • Transmitting ITAR-controlled technical data through unencrypted emails; and
  • Manufacturing defense articles subject to the ITAR without processes to handle them as ITAR-controlled.

According to the complaint, the relator first raised these compliance concerns internally in September 2021.  While the management team allegedly acknowledged the ITAR-related shortcomings, it did not address the relator’s concerns.  

Unlike the relator’s complaint, DOJ’s press release and the announced settlement agreement do not reference violations of the ITAR and focus on the cybersecurity measures mandated by Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  The government asserted that Swiss Automation knowingly failed to implement adequate cybersecurity pursuant to DFARS 252.204-7012 for technical drawings of specific parts the company delivered to defense contractors.  These alleged failures involved nine purchase orders spanning March 2022 through October 2023, during which the company purportedly caused false payment claims to be submitted.

The Intersection of DFARS and ITAR

This settlement illustrates the critical intersection of two regulatory frameworks that defense suppliers must navigate: DFARS cybersecurity requirements and the ITAR. 

DFARS Cybersecurity Requirements.  DFARS 252.204-7012 generally requires that contractors and subcontractors provide “adequate security” on all covered contractor information systems by implementing National Institute of Standards and Technology (NIST) Special Publication 800-171 security controls when processing, storing, or transmitting CUI.  Importantly, export-controlled information is an explicit category of CUI in the CUI Registry. 

ITAR and Technical Data.  As described in the CUI Registry, export-controlled information includes “[u]nclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.”  This includes ITAR-controlled items.  The ITAR regulates defense articles enumerated on the United States Munitions List (USML) and associated “technical data”—including blueprints, drawings, and specifications needed to design, develop, produce, manufacture, assemble, operate, repair, test or modify defense articles.  Technical drawings and manufacturing specifications may constitute ITAR-controlled technical data when they relate to a USML-controlled defense article and are not otherwise excluded.  Technical data must be protected to prevent the unauthorized export or release to foreign persons, including to foreign persons located within the United States.

As a result, when a U.S. contractor processes, stores, or transmits export-controlled information under a relevant DoD contract, it is often subject to both DFARS 252.204-7012 and ITAR requirements.  While the relator’s complaint did not expressly cite DFARS 252.204-7012 or specific cybersecurity regulations, it appears DOJ linked the alleged ITAR non-compliances to DFARS 252.204-7012. 

Key Takeaways

1. 1. Cybersecurity and ITAR compliance are intertwined obligations for defense suppliers.  This settlement demonstrates that suppliers processing defense-related technical data face overlapping compliance requirements under both DFARS cybersecurity provisions and the ITAR.  Identical technical drawings may trigger both the duty to implement NIST SP 800-171 controls and the duty to restrict access to export-controlled data.  Companies must address both frameworks in tandem.
      
      
   2. Cybersecurity obligations cascade through the supply chain.  The duty to implement NIST SP 800-171 security controls extends beyond DoD prime contractors to encompass subcontractors and suppliers throughout the defense industrial base.  Even smaller suppliers processing technical drawings or other CUI must satisfy DFARS cybersecurity requirements under the terms of their flowdowns.
      
      
   3. Enforcement targets suppliers of all sizes, regardless of breach.  While the $421,234 settlement is more modest than recent high-profile cybersecurity FCA settlements involving larger defense contractors, it demonstrates DOJ's determination to pursue enforcement actions against suppliers of all sizes who fail to satisfy their cybersecurity obligations.  Notably, FCA liability can attach regardless of whether any actual cybersecurity breach occurred.
      
      
   4. CMMC will perpetuate this enforcement trend.  As DOJ notes in its press release, the cybersecurity obligations at issue will persist under the Cybersecurity Maturity Model Certification (CMMC) program that DoD recently finalized.  Suppliers should prepare for heightened scrutiny and certification requirements under CMMC, while not overlooking residual obligations under DFARS 252.204-7012 such as risk-based mitigations and incident reporting.
      
      
   5. Proactive compliance is essential.  Suppliers processing DoD information should: (1) determine whether they manufacture defense articles subject to the ITAR or handle ITAR-controlled technical data; (2) identify all foreign persons requiring access to such data and secure required authorizations; (3) conduct gap analyses to evaluate their NIST SP 800-171 compliance; (4) implement necessary security controls; and (5) maintain proper documentation of their cybersecurity and export control programs to mitigate risks of FCA liability.