Saturday, December 20, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Uncle Sam sues ex-Accenture manager over Army cloud security claims

TH Author

The US is suing a former senior manager at Accenture for allegedly misleading the government about the security of an Army cloud platform.

Danielle Hillmer, 53, of Chantilly, Virginia, is accused of deceiving auditors over the capabilities of a service the government commissioned in 2017.

Although it is only referred to as Company A in the court documents, Hillmer claimed to work for Big Four consulting firm Accenture during the stated timeline, according to a now-deleted LinkedIn account.

The US alleges that between March 2020 and November 2021, Hillmer obstructed federal auditors and falsely represented the security of the company’s cloud platform, which was used by other government customers beyond the Army.

The platform in question is described as Nonappropriated Fund Integrated Financial Management System (NIFMS) – a cloud-based payroll, pension, and benefits system in lay terms.

According to the indictment [PDF] unsealed this week, Hillmer specifically made efforts to represent the NIFMS platform as having enabled security controls that met the FedRAMP High baseline, and the Department of Defense’s (DoD) Impact Levels 4 and 5.

The Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessments, and systems must have a “high” baseline to store federal information.

The DoD has its own risk management framework with Impact Levels 4 and 5 representing the highest levels of security. IL4 requires systems to meet different criteria, ranging from FedRAMP Moderate, FedRAMP High, and DoD-specific controls, while IL5 is the highest level available for unclassified information.

Accenture’s contract was worth around $30 million in total, the court documents showed, and required a DoD Impact Level 4 assessment in order to fulfill it.

Hillmer allegedly filed an application to the Joint Authorization Board responsible for administering FedRAMP to raise the platform’s compliance level from Moderate to High. The US claimed Accenture would have used this to gain DoD IL5 accreditation.

This application allegedly contained various falsehoods and misleading statements about the platform’s security.

“Among other things, Hillmer knew the platform had not implemented required security controls related to access control, incident response, and continuous monitoring, including auditing, logging, monitoring, and alerting,” the indictment reads.

“Hillmer also knew customer environments were not managed, monitored, governed, and secured as represented in the platform’s system security plan.”

Hillmer allegedly did this despite the numerous voices from inside the company, and those from outside cybersecurity consultants, informing her that the platform was not compliant with FedRAMP High requirements.

According to a timeline of events outlined in the legal files, Hillmer filed the application on March 10, 2020, noting that the company required FedRAMP High due to the Army contracts it secured, and promised that the relevant controls would be implemented by April 2020, and operational by August.

In June 2020, an outside consultant told Hillmer that more than 100 security controls had not been implemented, and in various cases, a solution had not been identified.

She allegedly approved a Readiness Assessment Report in July, knowing the system was not compliant, and spent the following months hiding known issues from officials.

In September 2020, the US claims Hillmer explicitly stated that all FedRAMP High controls were in place and needed to secure the accreditation by January 1, 2021, due to the Army contract wins.

These misrepresentations continued into September 2021, the US claims, and at least six government departments planned to use the platform, which could have landed Accenture contract wins worth around $250 million.

An Accenture spokesperson told The Register: “As previously disclosed in our public filings, we proactively brought this matter to the government’s attention following an internal review.

“We have cooperated extensively with the government’s investigation and continue to do so. We remain dedicated to operating with the highest ethical standards as we serve all our clients, including the federal government.”

It told the Securities and Exchange Commission (SEC) the same in a Form 10-K [PDF] filed on October 12, 2023. It stated that the Justice Department had initiated civil and criminal proceedings against “one or more employees,” and it was fully complying with its investigation. ®

READ MORE HERE