“Settlements and judgments under the False Claims Act [“FCA”] exceeded $2.9 billion in the fiscal year ending Sept. 30, 2024,” announced the United States Department of Justice’s (“DOJ”) Civil Division on January 15, 2025. These statistics come to light after the government and whistleblowers were party to 558 settlements and judgments in fiscal year 2024, the second highest total after fiscal year 2023’s record of 566 recoveries—illustrating that the FCA remains a powerful tool for the government to combat fraud and safeguard government programs and information. While FCA investigations and enforcement actions are often focused on the healthcare industry, cybersecurity has emerged as a critical area of focus for whistleblowers and DOJ prosecutors.
In 2021, the DOJ announced the Civil Cyber-Fraud Initiative (“Initiative”), which sought to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”[1] This initiative was DOJ’s first formal step in focusing on the preventative cybersecurity efforts of government contractors.
In our previous two articles, we discussed the Department of Defense’s (“DOD”) Cybersecurity Maturity Model Certification 2.0 Program (“CMMC 2.0”) and the proposed Federal Acquisition Regulation Controlled Unclassified Information Rule (“Proposed FAR CUI Rule”)—both of which implement stringent regulations under which federal contractors must protect data and information made part of their federal government contracts. Contractors that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents will be at risk of FCA enforcement actions. Accordingly, CMMC 2.0 and the Proposed FAR CUI Rule are potential sources of liability under the FCA.
Regardless of the various policy shifts occurring within the federal government, the government’s interest in pursuing cyber-fraud cases via the FCA is here to stay. Accordingly, the DOJ is likely to initiate more FCA lawsuits against government contractors that it believes are failing to meet their cybersecurity obligations. This includes cases where government contractors have misrepresented their own cybersecurity compliance in the Supplier Performance Risk System (“SPRS”), which, as our prior articles have explained, is a system where contractors enter their self-assessment scores after analyzing compliance with NIST SP 800-171.
This enforcement landscape may also be altered by the Administrative False Claims Act (“AFCA”), passed in December 2024, to revitalize the Program Fraud Civil Remedies Act of 1986 (“PFCRA”). The AFCA permits federal agencies to independently pursue claims against government contractors without an FCA lawsuit. Thus, the AFCA streamlines enforcement procedures and allows agencies to recoup the costs of investigating and prosecuting AFCA matters, giving agencies, including DOD, a mechanism to pursue more minor cybersecurity lapses that may not meet DOJ thresholds for FCA suits.
Against this backdrop, just as we have seen an increase in FCA claims targeting cybersecurity standard compliance, many of those cases have ended in high-value settlements, showing just how seriously the DOJ is taking these enforcement actions.
Recent Developments
- On February 18, 2025, the DOJ announced that Health Net Federal Services Inc. (“HNFS”) and its corporate parent, Centene Corporation, agreed to pay $11,253,400 to resolve claims that HNFS falsely certified compliance with federal contractor cybersecurity requirements contained in a contract between HNFS and the DOD to administer the Defense Health Agency’s health insurance program, TRICARE, for servicemembers and their families.
- On March 26, 2025, defense contractor Morse Corp, Inc., agreed to pay $4.6 million to resolve FCA allegations that it submitted false claims related to alleged noncompliance with cybersecurity requirements in its Army and Air Force contracts. The DOJ alleged that the company did not implement certain cybersecurity controls, failed to ensure its third-party email host met the required security standards, and lacked a written cybersecurity plan.
- On May 1, 2025, defense contractor Raytheon Company and related companies agreed to pay $8.4 million to resolve FCA allegations that they submitted claims that falsely certified compliance with cybersecurity requirements in contracts and subcontracts with DOD. Specifically, the DOJ alleged that the company failed to implement the required controls on an internal development system used to perform unclassified work on certain DOD contracts.al
The DOJ Intervenes in Whistleblower Cases Against Georgia Tech and Penn State
Two cases represent landmark enforcement actions under the DOJ’s Civil Cyber-Fraud Initiative. Both cases were brought by whistleblowers alleging that the institutions failed to comply with DFARS 252.204-7012 and DFARS 252.204-7019, requiring contractors to implement security controls outlined in NIST SP 800-171. These cases mark the first FCA interventions from the DOJ related to cybersecurity failures in federally funded research contracts. The DOJ has discretion to intervene, but when it chooses to do so, the DOJ takes over the responsibility for prosecuting the case—while the whistleblower who originally brought the case, still remains a party to the litigation (just not the leading party).
A whistleblower filed an FCA case against the Georgia Institute of Technology (“Georgia Tech”) on July 21, 2022. The DOJ intervened on February 20, 2024, and unsealed the complaint on August 22, 2024. In the suit, federal officials accuse Georgia Tech of not adhering to DOD cybersecurity standards in its research contracts. The case is ongoing, with Georgia Tech moving to dismiss the suit.
Georgia Tech asserts that the cybersecurity standards cited by the government did not apply to its contracts as they were for “fundamental research.” As Georgia Tech argues, fundamental research is explicitly excluded from handling sensitive “covered defense information,” an exclusion provided by National Security Decision Directive 189 (NSDD 189), and therefore the cybersecurity requirements the DOJ is trying to enforce, were not applicable. Georgia Tech also claims that the version of NIST SP 800-171 applicable to its contracts did not include all the requirements the government now claims were violated. The university also alleges that DOD continued to pay for Georgia Tech’s research despite knowing about the alleged cybersecurity deficiencies. Georgia Tech asserts this undermines the materiality requirement of a valid FCA claim. Georgia Tech also disputes knowingly misrepresenting compliance. The motion to dismiss has not been adjudicated. However, if the case proceeds to trial, the DOJ’s litigation strategy may reveal how DOJ intends to handle future FCA litigation.
A similar case was filed against Pennsylvania State University (“Penn State”) on October 5, 2022. It was unsealed after one year, when a judge declined further extensions for the DOJ’s investigation. The DOJ intervened, reaching a settlement on October 22, 2024, with Penn State agreeing to pay $1.25 million without admitting wrongdoing. Yet the case highlights the risks of misrepresenting cybersecurity compliance in the SPRS. Since there is no independent certification process for NIST SP 800-171 compliance, self-attestation is critical. False statements in SPRS submissions can lead to FCA liability.
While these cases target universities, the exact cybersecurity requirements at issue apply to many government contractors. DOJ may be pursuing similar cases outside academia. The Penn State and Georgia Tech cases signal the government is looking for ways to hold government contractors responsible for failures to live up to federal cybersecurity standards and self-attestation. FCA claims are one mechanism, while federal agencies can enforce such standards through AFCA claims. With this spotlight on safeguarding cybersecurity, federal contractors should be thinking of ensuring compliance with the applicable rules and regulations, reducing their FCA risk, because FCA enforcement in cybersecurity will surely remain a fixture of DOJ’s efforts.
Takeaways
These settlements and costs associated with FCA lawsuits are substantial financial deterrents for false attestations or scrimping on cybersecurity measures. Any contractor working on projects for the federal government should ensure that appropriate cybersecurity measures are in place, but it is nearly as important to understand the requirements for attestation and reporting purposes. In addition, contractors should establish protocols and provisions in any subcontractor agreement to ensure that any subcontractor complies with these requirements. While there are certainly costs associated with cybersecurity, technology, compliance programs, employee training programs, and negotiating compliance from subcontractors, recent settlements and lawsuits demonstrate that failure to comply is more costly.
Besides the costs of potential FCA liability, contractors may fail to secure contract awards if certifications and self-assessments in SPRS expire. Contractors must ensure that they monitor deadlines for these certifications/self-assessments to comply with CMMC 2.0 and the Proposed FAR CUI Rule and to avoid missing contract opportunities.
Smith Currie Oles will monitor changes to and impacts of the DOJ’s enforcement of cybersecurity standards via the False Claims Act and stands ready to provide guidance and assistance to contractors in meeting these complex requirements and safeguarding their interests.
Smith Currie Oles provides comprehensive legal services to all parts of the construction industry across the nation. Smith Currie lawyers have decades of demonstrated success representing construction and federal government contracting clients “From the Ground Up,” including procurement matters, contract formation and negotiation, project administration, claims prosecution and, when necessary, in litigation and other forms of dispute resolution.
The views expressed in this article are not necessarily those of ConsensusDocs. Readers should not take or refrain from taking any action based on any information without first seeking legal advice.
[1] U.S. Department of Justice, Press Release: “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative” (October 6, 2021).