DOJ’s Civil Cyber-Fraud Initiative – Where the False Claims Act Meets Cybersecurity

With the ever-increasing specter of cyberattacks, the safeguarding of information is more critical than ever and whistleblowers who know of systemic cyber failures must come forth to protect our infrastructure from penetration. The False Claims Act rewards insiders with big awards for doing just that.

In October 2021, the Deputy Attorney General announced the Civil Cyber-Fraud Initiative, signaling that the government would use the False Claims Act (FCA) to hold contractors accountable for cybersecurity failures. Under this initiative, the DOJ is focusing on entities that:

• Knowingly provide deficient cybersecurity products or services (e.g. selling systems with known security vulnerabilities)
• Knowingly misrepresent their cybersecurity practices or protocols (e.g. falsely claiming compliance with security standards)
• Knowingly violate obligations to monitor and report cybersecurity incidents (e.g. failing to report a breach as required by contract)

This approach builds into the contract terms that treat cybersecurity noncompliance as a form of fraud against the government. In practice, that means if a contractor promises to implement certain cybersecurity controls but doesn’t actually do so, any claims for payment under that contract could be deemed false or fraudulent. The FCA imposes treble damages (three times the government’s loss) and hefty per-violation civil penalties, so the stakes are high. DOJ officials have emphasized that “failure to [satisfy cybersecurity requirements] can compromise sensitive information… [and] the Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements.”

Enforcement Momentum

Since 2021, the Civil Cyber-Fraud Initiative has gained significant momentum. The DOJ projected that cybersecurity enforcement would ramp up in 2024 and beyond, a prediction borne out by the steady stream of cases being filed and settled. By late 2025, DOJ had announced at least 14 settlements under the initiative, reflecting a growing enforcement priority. While traditional FCA cases (e.g. healthcare or procurement fraud) still account for the bulk of recoveries, cybersecurity-related FCA actions are now firmly on the radar. Government contractors are on notice that cybersecurity is a material requirement; ignoring it or misrepresenting cyber compliance can lead to accusations of defrauding the government.

Cybersecurity Requirements Are Contractual Obligations

For companies doing business with the federal government, cybersecurity standards aren’t optional guidance – they are binding contractual obligations. Key frameworks and regulations include:

• NIST SP 800-171 (DFARS Requirements): The Department of Defense requires contractors to implement the 110 security controls in NIST Special Publication 800-171 to protect Controlled Unclassified Information (CUI) on contractor systems. This mandate is usually flowed down via DFARS 252.204-7012, a DoD contract clause obligating “adequate security” for CUI. Contractors must attest to implementing controls like access controls, encryption of data, continuous monitoring, incident response, and system integrity checks. (Notably, the DoD’s Cybersecurity Maturity Model Certification (CMMC) program is being rolled out to audit and certify contractors’ compliance with NIST 800-171.) Falsely certifying compliance with these cybersecurity requirements – or accepting DoD contract money while knowing you haven’t actually implemented the required controls – can trigger FCA liability.

• FedRAMP and NIST SP 800-53 (Cloud Security): If a contractor handles federal data using cloud services or third-party IT systems, FedRAMP authorization rules apply. FedRAMP requires cloud service providers to meet the NIST SP 800-53 security controls at the appropriate baseline (e.g. Moderate or High) for federal information. In one recent case, a defense contractor used an unapproved third-party email system that did not meet FedRAMP Moderate baseline security – a direct violation of contract terms. The contractor had failed to ensure its SaaS email host complied with required federal security standards, leading to a False Claims Act settlement of $4.6 million in 2025 for this lapse. The lesson is clear: using non-FedRAMP-compliant cloud systems or software to store government data can be deemed a material breach of contract and a false certification.

• FAR 52.204-21 (Basic Safeguarding of FCI): Even outside of controlled classified info, basic cyber hygiene is required for all federal contractors. FAR 52.204-21 mandates safeguarding Federal Contract Information (FCI) through minimum security controls (e.g. limiting system access, using antivirus and firewalls, etc.). For example, the DOJ’s 2025 settlement with Raytheon noted that the company’s internal network failed to meet FAR 52.204-21 basic requirements while handling government contract data. In that case, no system security plan was in place and basic controls were lacking, violating both FAR and DFARS clauses on 29 DoD contracts. The inclusion of FAR 52.204-21 in FCA allegations shows that even “basic” cybersecurity lapses (like lack of antivirus or poor access controls) can form the basis of fraud allegations if those lapses violate contract terms.

• Access Controls and Monitoring (Cyber Hygiene): Beyond specific frameworks, many contracts incorporate standard cybersecurity measures. These include implementing multi-factor authentication (MFA) for accessing sensitive systems, maintaining up-to-date anti-virus/anti-malware protection, and deploying intrusion detection systems (IDS) or audit logging to monitor for unauthorized access.

Such measures are often considered industry best practices and may be explicitly required by reference (for instance, NIST 800-171 includes controls on account management, incident monitoring, etc.). Failing to enforce strong password policies or sharing credentials can be a breach of contract. In one FCA case, a contractor’s staff shared passwords and sent unencrypted emails containing personal data, violating the contract’s cybersecurity clauses. Another case alleged that a university lab had no antivirus software on devices handling DoD data, contrary to basic security expectations.

These “ordinary” security lapses became evidence of false claims when the contractors had certified they would follow required safeguards. In short, if a security control is specified in the contract or underlying regulations, it must be taken as seriously as any deliverable – ignoring it can amount to fraud.

By writing cybersecurity requirements into contracts, the government ensures it can use legal remedies if those terms are violated. As DOJ officials have noted, this elevates cybersecurity failures to the level of procurement fraud: “By making cybersecurity requirements enforceable under the FCA, the government is signaling that security failures are fraud risks, not merely IT oversights.” Regulatory compliance and sound cyber practices now go hand-in-hand – contractors should treat security plans, risk assessments, and compliance self-certifications with the same rigor as they would treat financial reporting.

Recent False Claims Act Cases Involving Cybersecurity Failures

A series of real-world FCA enforcement cases in the past few years illustrates how cybersecurity noncompliance can lead to substantial penalties. Importantly, these cases often came to light through whistleblower (qui tam) actions. Here are several notable examples (with their outcomes):

• Comprehensive Health Services (CHS) – Settlement: $930,000 (2022).
• Aerojet Rocketdyne – Settlement: $9,000,000 (2022).
• Insight Global (COVID-19 Contact Tracing Data) – Settlement: $2,700,000 (2024).
• MORSE Corp – Settlement: $4,600,000 (2025).
• Raytheon & Subcontractor (Nightwing Group) – Settlement: $8,400,000 (2025).

The DOJ’s Civil Cyber-Fraud Initiative has reshaped how the government enforces cybersecurity obligations under the FCA. By embedding security standards into contracts and treating misrepresentations as fraud, the DOJ has elevated cybersecurity to a compliance priority on par with financial reporting or product quality.

Contractors should now view cybersecurity compliance as both a legal and ethical responsibility. Enforcement activity continues to expand, and whistleblowers play an essential role in identifying and exposing violations that could otherwise jeopardize national security and public safety.

Brown, LLC is a nationally recognized whistleblower law firm that represents clients nationwide in False Claims Act, SEC, CFTC, IRS, and other whistleblower matters. This article is for informational purposes and does not constitute legal advice.