US charges former Accenture employee with misleading feds on cloud platform’s security

The Justice Department charged a former product manager at Accenture Federal Services with falsely misleading government customers about the security posture of a cloud product offered by the company.

From March 2020 to November 2021, Danielle Hillmer allegedly obstructed federal auditors and falsely represented that an Accenture cloud platform for federal use had required security controls in place, according to indictment documents. 

The documents do not name specific companies she was employed at, but a scan of what appears to be her LinkedIn profile shows she managed cloud services products at Accenture’s federal consulting arm at the same time the alleged activity took place.

She was most recently employed at SentinelOne, a cybersecurity firm, according to the LinkedIn profile. A SentinelOne spokesperson said she’s “not been employed with us for a while” and that the actions in the indictment “are totally unrelated to her employment here.” 

Accenture said in a 2023 financial filing that the Justice Department was investigating “whether one or more employees provided inaccurate submissions to an assessor who was evaluating on behalf of the U.S. government an AFS (Accenture Federal Services) service offering and whether the service offering fully implemented required federal security controls.”

“As previously disclosed in our public filings, we proactively brought this matter to the government’s attention following an internal review. We have cooperated extensively with the government’s investigation and continue to do so,” an Accenture spokesperson told Nextgov/FCW. “We remain dedicated to operating with the highest ethical standards as we serve all our clients, including the federal government.”

Hillmer did not immediately return a request for comment. Her LinkedIn profile describes her Accenture role as a business and system owner overseeing the firm’s federal cloud-migration services, and later as the lead for the company’s cloud-managed services portfolio.

Although the platform was marketed as secure for agencies, Hillmer “concealed the platform’s noncompliance with security controls under the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s Risk Management Framework,” a Justice Department press release says.

FedRAMP is the U.S. government framework for assessing and monitoring the security of private sector cloud services used by federal agencies. Misrepresenting systems’ security to the government can be dangerous for agencies’ cyber posture because the compliance check helps determine if a product is safe to operate in federal environments.

The DOD Risk Management Framework is similar to FedRAMP, but it applies to military information systems, rather than commercial cloud services used in civilian agencies.

Prosecutors say Hillmer tried to sway and impede independent assessors during mandatory audits in 2020 and 2021 by hiding security gaps and directing others to mask the system’s real condition during tests and demos. 

She is also accused of giving the Army false information to persuade it to sponsor the platform for a DOD authorization. The charges say Hillmer submitted and directed colleagues to submit authorization documents to assessors that she knew included materially false statements to secure and retain government approvals to operate.

“Despite receiving repeated warnings from employees and outside consultants that the platform was not ready to uplift, Hillmer made false and misleading representations about the system architecture and implementation of security controls to assessors and authorizing officials to fraudulently obtain approval to uplift the platform to FedRAMP High,” the indictment says.

In June 2020, an outside firm that assessed security documentation for the system warned that it wasn’t ready for elevation because over 100 security controls were not yet implemented, it adds. But a month later, she still approved the submission to government auditors.

Cyber-related procurement fraud is a major enforcement area for federal prosecutors, who in recent years have pursued contractors accused of overstating their compliance with government-mandated security requirements. 

Contractors can profit from these schemes by winning federal business they aren’t qualified for, avoiding costly remediation work and preserving lucrative business deals that depend on maintaining the appearance of compliance with strict cybersecurity standards.