Key Takeaways:
- The US is suing a former senior manager at Accenture, Danielle Hillmer, for allegedly misleading the government about the security of an Army cloud platform.
- Hillmer is accused of deceiving auditors over the capabilities of the Nonappropriated Fund Integrated Financial Management System (NIFMS) platform.
- The platform was used by other government customers beyond the Army, and Accenture’s contract was worth around $30 million.
- Hillmer allegedly filed an application to raise the platform’s compliance level from Moderate to High, containing various falsehoods and misleading statements about the platform’s security.
- The US claims that Hillmer’s actions could have resulted in Accenture securing contract wins worth around $250 million.
Introduction to the Case
The US government has filed a lawsuit against a former senior manager at Accenture, Danielle Hillmer, for allegedly misleading the government about the security of an Army cloud platform. According to the court documents, Hillmer, 53, of Chantilly, Virginia, is accused of deceiving auditors over the capabilities of a service the government commissioned in 2017. The platform in question is the Nonappropriated Fund Integrated Financial Management System (NIFMS), a cloud-based payroll, pension, and benefits system. Hillmer claimed to work for Accenture during the stated timeline, according to a now-deleted LinkedIn account.
The Allegations Against Hillmer
The US alleges that between March 2020 and November 2021, Hillmer obstructed federal auditors and falsely represented the security of the company’s cloud platform, which was used by other government customers beyond the Army. The platform was required to meet the Federal Risk and Authorization Management Program (FedRAMP) High baseline, and the Department of Defense’s (DoD) Impact Levels 4 and 5. However, Hillmer allegedly made efforts to represent the NIFMS platform as having enabled security controls that met these standards, when in fact, the platform had not implemented required security controls related to access control, incident response, and continuous monitoring.
The FedRAMP and DoD Security Standards
The Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessments, and systems must have a "high" baseline to store federal information. The DoD has its own risk management framework with Impact Levels 4 and 5 representing the highest levels of security. IL4 requires systems to meet different criteria, ranging from FedRAMP Moderate, FedRAMP High, and DoD-specific controls, while IL5 is the highest level available for unclassified information. Accenture’s contract was worth around $30 million in total, and required a DoD Impact Level 4 assessment in order to fulfill it.
Hillmer’s Actions and the Consequences
Hillmer allegedly filed an application to the Joint Authorization Board responsible for administering FedRAMP to raise the platform’s compliance level from Moderate to High. The US claimed Accenture would have used this to gain DoD IL5 accreditation. However, the application allegedly contained various falsehoods and misleading statements about the platform’s security. Hillmer allegedly knew that the platform had not implemented required security controls, and that customer environments were not managed, monitored, governed, and secured as represented in the platform’s system security plan. Despite numerous voices from inside the company and outside cybersecurity consultants informing her that the platform was not compliant with FedRAMP High requirements, Hillmer allegedly continued to misrepresent the platform’s security.
The Timeline of Events
According to a timeline of events outlined in the legal files, Hillmer filed the application on March 10, 2020, noting that the company required FedRAMP High due to the Army contracts it secured, and promised that the relevant controls would be implemented by April 2020, and operational by August. However, in June 2020, an outside consultant told Hillmer that more than 100 security controls had not been implemented, and in various cases, a solution had not been identified. Hillmer allegedly approved a Readiness Assessment Report in July, knowing the system was not compliant, and spent the following months hiding known issues from officials. The misrepresentations continued into September 2021, the US claims, and at least six government departments planned to use the platform, which could have landed Accenture contract wins worth around $250 million.
Accenture’s Response
An Accenture spokesperson told The Register that the company had proactively brought the matter to the government’s attention following an internal review, and had cooperated extensively with the government’s investigation. The spokesperson stated that Accenture remains dedicated to operating with the highest ethical standards as it serves all its clients, including the federal government. The company also informed the Securities and Exchange Commission (SEC) about the matter in a Form 10-K filed on October 12, 2023, stating that the Justice Department had initiated civil and criminal proceedings against "one or more employees," and that it was fully complying with its investigation.
