The US is suing a former senior manager at Accenture for allegedly misleading the government about the security of an Army cloud platform.
Danielle Hillmer, 53, of Chantilly, Virginia, is accused of deceiving auditors over the capabilities of a service the government commissioned in 2017.
The US alleges that between March 2020 and November 2021, Hillmer obstructed federal auditors and falsely represented the security of the company's cloud platform, which was used by other government customers beyond the Army.
(...)
The DoD has its own risk management framework with Impact Levels 4 and 5 representing the highest levels of security. IL4 requires systems to meet different criteria, ranging from FedRAMP Moderate, FedRAMP High, and DoD-specific controls, while IL5 is the highest level available for unclassified information.
Accenture's contract was worth around $30 million in total, the court documents showed, and required a DoD Impact Level 4 assessment in order to fulfill it.
Hillmer allegedly filed an application to the Joint Authorization Board responsible for administering FedRAMP to raise the platform's compliance level from Moderate to High. The US claimed Accenture would have used this to gain DoD IL5 accreditation.
This application allegedly contained various falsehoods and misleading statements about the platform's security.
"Among other things, Hillmer knew the platform had not implemented required security controls related to access control, incident response, and continuous monitoring, including auditing, logging, monitoring, and alerting," the indictment reads.
"Hillmer also knew customer environments were not managed, monitored, governed, and secured as represented in the platform's system security plan."
Hillmer allegedly did this despite the numerous voices from inside the company, and those from outside cybersecurity consultants, informing her that the platform was not compliant with FedRAMP High requirements.