Recent Settlements
On July 31, 2025, the DOJ announced that a California-based defense contractor, and its private equity owner Gallant Capital Partners agreed to pay $1.75 million to resolve allegations that they knowingly failed to comply with cybersecurity requirements in a contract with the Department of the Air Force. The government acknowledged that the companies voluntarily disclosed the violations, cooperated with the investigation, and took remedial steps—actions that earned them credit and likely reduced the settlement amount.
That same day, a genomic sequencing company, agreed to pay $9.8 million to resolve allegations, arising from a whistleblower, that it sold sequencing systems to federal agencies with known cybersecurity vulnerabilities. The government alleged that the company failed to incorporate cybersecurity into its product design and falsely represented compliance with cybersecurity standards, including those from NIST and ISO.
These cases are part of a broader initiative to use the False Claims Act to promote cybersecurity compliance among federal contractors and grantees. They underscore the importance of robust cybersecurity programs and the risks of misrepresenting compliance.
The Legal Landscape: FCA and Cybersecurity
Under the FCA, knowingly misrepresenting compliance with cybersecurity obligations (or failing to meet them while certifying conformity) can render claims for payment false, even without a proven data breach. The Civil Cyber-Fraud Initiative formalizes that approach.
DOJ’s Civil Cyber-Fraud Initiative
Since launching the Civil Cyber-Fraud Initiative in October 2021, the DOJ has employed the FCA to pursue contractors and grantees: (i) misrepresenting cybersecurity practice/controls compliance, (ii) knowingly providing products with known cyber vulnerabilities, or (iii) failing to timely report cyber incidents required by contract or regulation. The CCFI efforts have proven to tie meaningful penalties to self-disclosure, cooperation, and remediation from recipients of federal funds.
Cybersecurity Maturity Model Certification (CMMC) Program
The DoD’s Cybersecurity Maturity Model Program (CMMC) program locks these compliance requirements into DoD contracts and subcontracts. On September 10, the DoD issued the final DFARS rule implementing the CMMC, with the final rule going into effect for new solicitations on November 10, 2025.
CMMC establishes three levels of certification, mapped to practices in FAR 52.204-21 (Level 1), NIST SP 800-171 (Level 2), and NIST SP 800-172 (Level 3). Contractors handling controlled unclassified information (CUI) will need independent third-party assessments to demonstrate compliance at Levels 2 and 3.
This means that if a contractor falsely certifies compliance with cybersecurity requirements, they may be exposed to FCA liability, even if, as stated above, no actual data breach occurs. The mere failure to meet contractual cybersecurity obligations, coupled with a representation of compliance, can be enough.
The government’s reliance on digital infrastructure and sensitive data makes cybersecurity within the DoD supply chain a national security imperative. Contractors must treat cybersecurity on DoD contracts as a core compliance issue, not a peripheral IT concern for two reasons. First, having the appropriate CMMC certification is now a prerequisite to being awarded a DoD contract. Second, false statements of CMMC compliance carry FCA liability risk.
Looking Ahead: Enforcement Trends and Best Practices
We expect to see more FCA cases focused on cybersecurity, particularly in sectors handling sensitive data—defense, healthcare, energy, and research. Contractors should anticipate increased scrutiny of their cybersecurity practices, including audits, investigations, and whistleblower complaints. While cybersecurity-based FCA enforcement began with contractors providing services that centered on cybersecurity, the Justice Department and whistleblowers are slowly expanding the cybersecurity theory to contractors performing all manner of work. There is a big question as to whether, at some point, the cybersecurity FCA theory will reach all contractors (including healthcare providers) who make claims to the federal government and who experience data breaches. As this FCA theory expands, everyone doing business with the government should prepare for increased scrutiny.
To mitigate risk, contractors should:
- Conduct regular cybersecurity assessments and gap analyses.
- Ensure accurate and up-to-date representations of compliance.
- Train personnel on cybersecurity obligations and reporting protocols.
- Establish clear lines of responsibility for cybersecurity compliance.
- Ensure the cybersecurity requirements in the applicable contract clauses are being met (e.g. FAR 52.204-21, DFARS 252-204-7021).
- Engage legal counsel early when issues arise.
Cybersecurity is no longer just a technical issue—it’s a legal, regulatory, and reputational one. Contractors must build compliance into their culture and operations.
Conclusion
These settlements demonstrate that the DOJ is serious about holding contractors accountable for cybersecurity failures, even in the absence of a breach. They also show that cooperation and remediation can make a meaningful difference.
For contractors, the message is clear: cybersecurity compliance is a legal obligation, not a best practice. The False Claims Act is now firmly part of the cybersecurity enforcement toolkit. Contractors who invest in robust cybersecurity programs—and who respond proactively when issues arise—will be better positioned to navigate this evolving landscape.