Cyber security and protection of private information and data concept. Locks on blue integrated circuit. Firewall from hacker attack.
Listen to this post

Recent Settlements

On July 31, 2025, the DOJ announced that a California-based defense contractor, and its private equity owner Gallant Capital Partners agreed to pay $1.75 million to resolve allegations that they knowingly failed to comply with cybersecurity requirements in a contract with the Department of the Air Force. The government acknowledged that the companies voluntarily disclosed the violations, cooperated with the investigation, and took remedial steps—actions that earned them credit and likely reduced the settlement amount.

That same day, a genomic sequencing company, agreed to pay $9.8 million to resolve allegations, arising from a whistleblower, that it sold sequencing systems to federal agencies with known cybersecurity vulnerabilities. The government alleged that the company failed to incorporate cybersecurity into its product design and falsely represented compliance with cybersecurity standards, including those from NIST and ISO.

These cases are part of a broader initiative to use the False Claims Act to promote cybersecurity compliance among federal contractors and grantees. They underscore the importance of robust cybersecurity programs and the risks of misrepresenting compliance.

The Legal Landscape: FCA and Cybersecurity

Under the FCA, knowingly misrepresenting compliance with cybersecurity obligations (or failing to meet them while certifying conformity) can render claims for payment false, even without a proven data breach. The Civil Cyber-Fraud Initiative formalizes that approach.

DOJ’s Civil Cyber-Fraud Initiative

Since launching the Civil Cyber-Fraud Initiative in October 2021, the DOJ has employed the FCA to pursue contractors and grantees: (i) misrepresenting cybersecurity practice/controls compliance, (ii) knowingly providing products with known cyber vulnerabilities, or (iii) failing to timely report cyber incidents required by contract or regulation. The CCFI efforts have proven to tie meaningful penalties to self-disclosure, cooperation, and remediation from recipients of federal funds.

Cybersecurity Maturity Model Certification (CMMC) Program

The DoD’s Cybersecurity Maturity Model Program (CMMC) program locks these compliance requirements into DoD contracts and subcontracts. On September 10, the DoD issued the final DFARS rule implementing the CMMC, with the final rule going into effect for new solicitations on November 10, 2025.

CMMC establishes three levels of certification, mapped to practices in FAR 52.204-21 (Level 1), NIST SP 800-171 (Level 2), and NIST SP 800-172 (Level 3). Contractors handling controlled unclassified information (CUI) will need independent third-party assessments to demonstrate compliance at Levels 2 and 3.

This means that if a contractor falsely certifies compliance with cybersecurity requirements, they may be exposed to FCA liability, even if, as stated above, no actual data breach occurs. The mere failure to meet contractual cybersecurity obligations, coupled with a representation of compliance, can be enough.

The government’s reliance on digital infrastructure and sensitive data makes cybersecurity within the DoD supply chain a national security imperative. Contractors must treat cybersecurity on DoD contracts as a core compliance issue, not a peripheral IT concern for two reasons. First, having the appropriate CMMC certification is now a prerequisite to being awarded a DoD contract. Second, false statements of CMMC compliance carry FCA liability risk.

Looking Ahead: Enforcement Trends and Best Practices

We expect to see more FCA cases focused on cybersecurity, particularly in sectors handling sensitive data—defense, healthcare, energy, and research. Contractors should anticipate increased scrutiny of their cybersecurity practices, including audits, investigations, and whistleblower complaints. While cybersecurity-based FCA enforcement began with contractors providing services that centered on cybersecurity, the Justice Department and whistleblowers are slowly expanding the cybersecurity theory to contractors performing all manner of work. There is a big question as to whether, at some point, the cybersecurity FCA theory will reach all contractors (including healthcare providers) who make claims to the federal government and who experience data breaches. As this FCA theory expands, everyone doing business with the government should prepare for increased scrutiny.

To mitigate risk, contractors should:

  • Conduct regular cybersecurity assessments and gap analyses.
  • Ensure accurate and up-to-date representations of compliance.
  • Train personnel on cybersecurity obligations and reporting protocols.
  • Establish clear lines of responsibility for cybersecurity compliance.
  • Ensure the cybersecurity requirements in the applicable contract clauses are being met (e.g. FAR 52.204-21, DFARS 252-204-7021).
  • Engage legal counsel early when issues arise.

Cybersecurity is no longer just a technical issue—it’s a legal, regulatory, and reputational one. Contractors must build compliance into their culture and operations.

Conclusion

These settlements demonstrate that the DOJ is serious about holding contractors accountable for cybersecurity failures, even in the absence of a breach. They also show that cooperation and remediation can make a meaningful difference.

For contractors, the message is clear: cybersecurity compliance is a legal obligation, not a best practice. The False Claims Act is now firmly part of the cybersecurity enforcement toolkit. Contractors who invest in robust cybersecurity programs—and who respond proactively when issues arise—will be better positioned to navigate this evolving landscape.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jonathan Porter Jonathan Porter

Jonathan uses his years of experience as a federal prosecutor to guide clients through the challenges associated with government investigations and regulatory compliance.

Jonathan brings to clients a thorough working knowledge of how the U.S. government targets and pursues criminal and civil investigations,

Jonathan uses his years of experience as a federal prosecutor to guide clients through the challenges associated with government investigations and regulatory compliance.

Jonathan brings to clients a thorough working knowledge of how the U.S. government targets and pursues criminal and civil investigations, particularly those involving the healthcare industry. He is a former Assistant U.S. Attorney for the Southern District of Georgia, and in that capacity, he brought charges against numerous individuals and companies under federal law, including criminal charges of health care fraud, wire fraud, and violation of the Anti-Kickback Statute, and civil complaints alleging violations of the False Claims Act.

At the Department of Justice, Jonathan was a key member of multiple international health care fraud takedowns, in which Jonathan charged dozens of doctors, nurses, and other licensed medical professionals, along with marketers and health care executives for alleged participation in healthcare fraud schemes involving billions of dollars in false billings. In total, these charges resulted in more than 30 guilty pleas plus a conviction in the nation’s first trial of a medical professional charged as part of Operation Brace Yourself, which Jonathan first-chaired. Jonathan also was active in dozens of civil investigations brought under the False Claims Act. Jonathan resolved tens of millions of dollars in civil settlements and judgments for False Claims Act violations.

Jonathan also advises clients on a range of regulatory issues, along with the development and implementation of corporate compliance programs. He uses his unique perspective as a former AUSA, providing a prosecutor’s eye for detail in helping clients understand how DOJ and other agencies view compliance, particularly in light of the changing standards for compliance as outlined in the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) and implemented in the Department’s white-collar crime enforcement initiative.

Read more about Jonathan PorterJonathan's Linkedin Profile
Show more Show less
Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Read more about Erik DulleaErik's Linkedin Profile
Show more Show less
Photo of Kip Randall Kip Randall

A former Army officer, Kip now helps corporate and individual clients navigate government investigations. Kip counsels clients through investigations by the Securities and Exchange Commission (SEC); Environmental Protection Agency (EPA); Internal Revenue Service (IRS); Department of Justice (DOJ), including allegations of antitrust and

A former Army officer, Kip now helps corporate and individual clients navigate government investigations. Kip counsels clients through investigations by the Securities and Exchange Commission (SEC); Environmental Protection Agency (EPA); Internal Revenue Service (IRS); Department of Justice (DOJ), including allegations of antitrust and False Claims Act violations; and state attorneys general. As a member of the eDiscovery Solutions group, Kip works at the intersection of eDiscovery and Government Investigations.

Read more about Kip Randall
Show more Show less
Photo of Ruth El Ruth El

Ruth represents government contractors throughout the procurement process and contract life cycle. Ruth is a holistic, full services government contracts attorney, representing clients through their bid and during bid protests; throughout contract execution, along with accompanying claims and adjustment requests; and, when necessary,

Ruth represents government contractors throughout the procurement process and contract life cycle. Ruth is a holistic, full services government contracts attorney, representing clients through their bid and during bid protests; throughout contract execution, along with accompanying claims and adjustment requests; and, when necessary, through litigation in the U.S. Court of Federal Claims. Ruth also provides advice on compliance with a wide array of contracts-related regulations, and she defends contractors against potential suspension and disbarment.

Read more about Ruth El
Show more Show less
Related Posts
US Department of Justice Sign
DOJ’s Continued Focus on Healthcare Fraud and FCA Enforcement: What 2025 Means for Providers and Compliance Professionals
October 13, 2025
FCA_Generic_1200x628 1
How the FCA Has Expanded into Anti-Discrimination Enforcement
October 9, 2025
Making payments , writing the check
PPP Loan Fraud Civil Enforcement through the False Claims Act
September 23, 2025