Key Takeaways:
- A former Accenture employee, Danielle Hillmer, has been charged with multiple counts of fraud for allegedly misleading federal officials about the security of a cloud platform used by the Army and other agencies.
- The indictment alleges that Hillmer concealed known issues with the cloud platform’s security controls and submitted false information to obtain a FedRAMP High provisional authority-to-operate (P-ATO).
- The case highlights the importance of enforcing federal cybersecurity requirements and the potential consequences for individuals and companies that fail to meet these requirements.
- The FedRAMP program has been under scrutiny in recent years, with many calling for streamlining the process to make it easier for agencies to access new technology.
Introduction to the Case
The Department of Justice (DoJ) has charged a former Accenture employee, Danielle Hillmer, with multiple counts of fraud for allegedly misleading federal officials about the security of a cloud platform used by the Army and other agencies. According to the indictment, Hillmer concealed known issues with the cloud platform’s security controls and submitted false information to obtain a FedRAMP High provisional authority-to-operate (P-ATO). The indictment does not identify the cloud platform or company that Hillmer worked for at the time of the alleged fraud, but Hillmer’s LinkedIn profile shows that she worked for Accenture Federal Services as "lead, cloud managed services" and "business and system owner, cloud management platform services" during the time in question.
The Allegations Against Hillmer
The indictment alleges that in March 2020, Hillmer sought to "uplift" the cloud platform in question from a FedRAMP Moderate to a High authorization, driven by recently awarded Army contracts that required FedRAMP High. However, Hillmer allegedly ignored warnings from a fellow employee and an outside firm that the cloud platform wasn’t compliant with security controls required for a FedRAMP High authorization. For instance, the indictment alleges that Hillmer was aware that system administrators could access the cloud platform without "necessary" multifactor authentication controls in place. Despite these warnings, Hillmer allegedly concealed known issues from assessors and authorizing officials, as well as submitted materials to FedRAMP and the Joint Authorization Board "knowing they contained materially false and misleading representations about the platform’s architecture, implementation of security controls and risk posture."
The Consequences of Hillmer’s Actions
The consequences of Hillmer’s actions were significant, with the FedRAMP program granting the cloud platform a FedRAMP High provisional authority-to-operate (P-ATO) in July 2021. At least six departments and agencies, including the Army, used or planned to use the P-ATO to obtain authorizations for cloud products and services, with the contracts or subcontracts involved valued at more than $250 million. The criminal charges against Hillmer carry heavy weight, with the wire fraud charge alone carrying a maximum of 20 years in prison. Lawyers representing Hillmer did not respond to an emailed request for comment.
The Response from Accenture and SentinelOne
Accenture, Hillmer’s former employer, has stated that it proactively brought the matter to the government’s attention following an internal review and has cooperated extensively with the government’s investigation. A spokesman for SentinelOne, Hillmer’s current employer at the time of the indictment, noted that Hillmer left her position at the company in August and said that the DoJ’s allegations have "nothing to do with her work at SentinelOne." In her previous role at SentinelOne, Hillmer was not involved in any compliance-related work for FedRAMP or any other program, according to the spokesman.
The Significance of the Case
The case is notable, as the DoJ has increasingly pursued legal action to enforce federal cybersecurity requirements. The Civil Cyber-Fraud Initiative has resulted in multiple False Claims Act settlements with companies for allegedly failing to meet contractual security requirements. However, a criminal case targeting an individual employee for allegedly misrepresenting security controls will be closely watched in the FedRAMP community. The case highlights the importance of enforcing federal cybersecurity requirements and the potential consequences for individuals and companies that fail to meet these requirements.
The Future of FedRAMP
Most conversations around the cloud security program in recent years have focused on streamlining the FedRAMP process, which is often considered a barrier to agencies accessing new technology. The case against Hillmer may add a new layer of complexity to these conversations, as it highlights the need for individuals and companies to prioritize cybersecurity and comply with federal requirements. As the use of cloud technology continues to grow in the federal government, the importance of ensuring the security and integrity of these systems will only continue to increase.
