Article Summary

Quinn

Pappas

The Department of Justice launched its Civil Cyber-Fraud Initiative in 2021 to crack down on contractors that introduce vulnerabilities into government networks because of their shoddy cybersecurity. Government contractors wondering whether their cybersecurity systems are up to snuff can look to recent cases and federal regulations for insight into what DOJ's Civil Cyber-Fraud Enforcement division may consider compliance violations.

This article by TELG principal Janel Quinn and former associate Lydia A. Pappas was published by The Employment Law Group, P.C. on January 2, 2026.

By Janel Quinn and Lydia A. Pappas

———

The Department of Justice’s Civil Cyber-Fraud Initiative reshaped how the federal government enforces cybersecurity obligations after its launch in October of 2021. The False Claims Act (FCA), long applied to fraudulent billing schemes, is now being used to hold contractors accountable when they fail to meet federal cybersecurity requirements put in place to safeguard information vital to national security.

Billions in federal funds are tied to sensitive defense, health, and research projects, making compliance with cybersecurity requirements a high-stakes obligation. Increasingly sophisticated cyber threats heighten the importance of contractor compliance and strong data security.

How did we get here?

Hackers launched a large-scale cyberattack on SolarWinds, an IT management company whose network monitoring software was widely used on federal systems, in December of 2020. The attack highlighted the need for greater cybersecurity controls amongst federal contractors.

The hackers gained access to SolarWinds’ Orion network that interfaced with the networks of numerous federal agencies, including the Department of Homeland Security, the Department of State, the U.S. Treasury, and the Department of Justice (DOJ). A backdoor created by exploiting vulnerabilities in SolarWinds’ network allowed the hackers unfettered access to sensitive government information and placed national security at risk. This attack underscored both the rise of cyber espionage and the importance of placing cybersecurity at the forefront of all sensitive operations.

Has enforcement been effective?

Civil Cyber-Fraud Enforcement has had significant success over the past five years in targeting government contractors, subcontractors, and grantees who put U.S. information and networks at risk. These cases involve knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents and breaches. DOJ has announced at least fourteen settlements of cyber-fraud matters since the Initiative’s inception — five of which are from 2025 alone.

In one of the largest settlements, Guidehouse Inc. and Nan McKay and Associates agreed to pay $11.4 million to settle allegations that they failed to secure application data in the emergency rental assistance program. The U.S. government alleged that the companies also failed to ensure that the application system underwent cybersecurity testing in its pre-production environment before being launched to the public — a factor it did not disclose to the government.

Brief summaries of the other 13 settlements can be found at their respective footnotes at the bottom of this article:

1. Comprehensive Health Services (March 2022)[1] — $930,000
2. Aerojet Rocketdyne, Inc. (July 2022)[2] — $9,000,000
3. Jelly Bean Communications Design LLC (March 2013)[3] — $293,771
4. Verizon Business Network Services (September 2023)[4] — $4,091,317
5. Insight Global LLC (May 2024)[5] — $2,700,000
6. ASRC Federal Data Solutions LLC (October 2024)[6] — $306,722
7. Pennsylvania State University (October 2024)[7] — $1,250,000
8. Healthnet Federal Services & Centene (February 2025)[8] — $11,253,400
9. MORSECORP Inc. (March 2025)[9] — $4,600,000
10. Reytheon Companies & Nightwing Group (May 2025)[10] — $8,400,000
11. Illumina Inc. (July 2025)[11] — $9,800,000
12. Aero Turbine Inc. & Gallant Capital (July 2025)[12] — $1,750,000
13. Georgia Tech Research Corp. (September 2025)[13] — $875,000

The amounts recovered in these settlements signal the importance of cybersecurity compliance to the government.

Contractors in each of these cases were charged with safeguarding sensitive information, and they allegedly failed to comply with relevant data protection regulations and misrepresented their compliance to the government. In some of the settlements the U.S. government asserted that, while the contractors maintained minimal compliance with regulations, they still had to be held accountable for misrepresenting the extent of their non-compliance or for failing to report significant breaches within their systems in order to maintain their contracts and receive continued payments from the government.

Some people may think the U.S. government only cares about cybersecurity enforcement when it comes to defense or military contracts, but that’s far from true. Enforcement efforts cover the protection of all sensitive data from Medicare beneficiary and financial data to emergency rental assistance applications and COVID-19 tracing data.

The message is clear: Any company seeking contracts with any government agency must be prepared to implement the required cybersecurity protocols and protect the government’s data, whether it be healthcare data, housing data, financial and loan information, educational grants, military and defense products, or even software design and marketing efforts.

What can companies do?

To ensure compliance, companies must be aware of what their specific obligations are. There are several key authorities that provide a roadmap to success for contractors — the knowing violation of which assuredly forms the basis for cybersecurity violations under the FCA.

First and foremost, the National Institute of Standards and Technology (NIST) provides a framework for improving critical infrastructure cybersecurity. These guidelines are designed to manage cybersecurity risks with detailed technical recommendations for securing information systems. They also serve as the baseline for many of the contract and regulatory requirements imposed on federal and private contractors and subcontractors.[14]

Other key requirements for cybersecurity compliance are outlined in the Federal Acquisition Regulations (FAR) and Department of Defense Federal Acquisition Regulation Supplement (DFARS). FAR 52.204-21 lists fifteen basic safeguarding controls for all contractor information systems that process, store, or transmit Federal Contract Information. These requirements include:

• Limitations on system access,
• Verification and control of all connections to external information systems,
• Malicious code protection, and
• Monitoring of system security.

As outlined by the FAR, compliance with cybersecurity requirements goes beyond the initial implementation of basic protocols, such as securing and controlling access to the network or utilizing intrusion detection systems. Companies must actively monitor the security of their networks and promptly report and address any attacks or breaches.

The DFARS guidelines incorporate compliance with the NIST risk assessment guidelines[15] and expand upon them with provisions requiring adequate reporting when a breach has been suspected or identified.[16]

Companies engaging in contracts with the Department of Defense (DoD) should also be aware of the Cybersecurity Maturing Model Certification (CMMC) Program Rule, which was fully incorporated into federal regulations on November 10, 2025. The CMMC is a mechanism by which DoD can measure and validate the implementation of required security measures necessary to safeguard Federal Contract Information and Controlled Unclassified Information. It carries certification and implementation requirements as well as active reporting requirements.

In addition to the resources above, the Securities and Exchange Commission has also issued its own rules on cybersecurity reporting requirements and associated penalties for violations. Companies with public portfolios should pay particular attention to this rule when fulfilling their reporting requirements.

Courts have recognized that cybersecurity requirements imposed on contractors are a significant part of contractors’ obligations. Several cases have moved forward on genuine issues of materiality, with the courts declaring that even disclosed noncompliance can be significant legal issue if the government wasn’t fully aware of just how noncompliant the contractor or its systems exactly were.[17] As another example, a blanket certification of compliance with all applicable rules and regulatory certification requirements may not enough to protect a contractor from an FCA action if they’re using a non-compliant database.[18]

Conclusion

The Civil Cyber-Fraud Enforcement efforts have cemented cybersecurity as a core contractual duty enforceable under the FCA. DOJ has made it clear through its enforcement actions that failure to comply with cybersecurity requirements are key obligations of any contract.

For contractors this means investment in robust cybersecurity programs is no longer optional and that their failure to do so could cost millions. Accurate reporting, documented controls, and proactive monitoring and remediation are essential to protecting sensitive data, maintaining trust with federal agencies, and avoiding FCA exposure.

If you discover that your employer isn’t complying with cybersecurity regulations for government contractors, contact The Employment Law Group.

———-
[1] The contractor submitted claims to the State Department for the cost of a secure EMR system to store medical records yet allegedly failed to store patient records within the secure system. Instead, the government claimed the records were stored in an unsecure network accessible to all staff.
[2] The U.S. government alleged that the contractor misrepresented its compliance with cybersecurity requirements in certain federal contracts providing launch vehicles, missiles, and satellites to DoD, NASA, and other agencies.
[3] According to allegations, the contractor failed to secure personal information on a federally funded Florida children’s health insurance website in a contract for website design, programing, and hosting services. The contractor allegedly failed to properly maintain, patch, and update the software, leading to a hack that exposed applicants’ medical information.
[4] The U.S. government claimed the contractor did not satisfy three cybersecurity controls for Trusted Internet Connections in its GSA contracts, placing secure connections at risk for hacking.
[5] The contractor allegedly failed to secure private health information in Covid-19 tracing database.
[6] The U.S. government alleged that the contractor stored the personal information of Medicare beneficiaries in an unsecured and unencrypted system that was breached by a third party.
[7] The contractor allegedly failed to implement contractually required cybersecurity controls in fifteen contracts with DoD and NASA to ensure the protection of defense information and subsequently failed to adequately develop and implement plans of action to correct deficiencies it identified. The U.S. government asserted that the contractor also misrepresented its compliance with the required controls to DoD and NASA.
[8] The U.S. government claimed the contractor falsely certified compliance with cybersecurity requirements in a contract to administer TRICARE health benefits programs for servicemen and their families, putting private health information at risk. The contractor further ignored reports from the Agency that it had identified vulnerabilities in the contractor’s network, according to the government’s claims.
[9] The U.S. government asserted that the contractor falsely certified its compliance with cybersecurity requirements on contracts with the Departments of the Army and Air Force, failing to implement cybersecurity controls, including establishing protocols to identify and cure vulnerabilities, and inflating its compliance scores.
[10] The contractor and subcontractor allegedly failed to implement required cybersecurity controls on internal development systems used to perform work for DoD as required under DFARS 252.204-7012 and FAR 52.204-21.
[11] The contractor allegedly sold genomic sequencing systems with software that had known cybersecurity vulnerabilities to the government. Further, the U.S. government claimed the contractor failed to incorporate product cybersecurity in its software design, development, and installation in violation of the NIST standards.
[12] The U.S. government claimed the contractor on a Department of the Air Force contract failed to control the flow of, and limit unauthorized access to, sensitive defense information by providing a foreign software company with files containing that information. The foreign actors were not authorized to receive the information.
[13] The contractor allegedly failed to install, update, or run anti-virus tools on equipment while performing sensitive cyber-defense research for DoD. Further, the U.S. government claimed the contractor didn’t have a system security plan in place to comply with the contractually required cybersecurity controls.
[14] Key NIST standards include:

• NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
• NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information

[15] DFARS 252.204-7019 & DFARS 252.204-7020
[16] DFARS 252.204-7012
[17] See United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Ca. 2019).
[18] See United States ex rel. Permenter v. eClinicalWorks LLC, 2022 WL 17478238 (M.D. Ga., Dec. 6, 2022).

———-

Janel Quinn is a principal at The Employment Law Group, P.C.; Lydia A. Pappas is a former associate of the firm.