DOJ Cyber Fraud Initiative Intensifies Enforcement of Federal Contractor Cybersecurity Obligations
DOJ Cyber Fraud Initiative Intensifies Enforcement of Federal Contractor Cybersecurity Obligations
Publish Date: 2026-02-23 15:08:00
Source Domain: www.securityinfowatch.com
Using an unordered list, summarize the following article with between 4 and 8 key points. Going forward, government contractors across industries — not just defense — can expect the DOJ to scrutinize compliance with cybersecurity provisions in government contracts.
Government complaints-in-intervention remain rare — To date, most DOJ settlements stem from private whistleblowers suits, with the DOJ investigating for long periods and intervening solely for the purposes of settlement. So far, the DOJ has only filed a formal complaint-in-intervention in one qui tam case, against Georgia Tech Research Corporation (Georgia Tech), in August 2024, which we discussed at length in last year’s FCA Guide. In the Georgia Tech case, the DOJ alleged that there was “no enforcement” of the cybersecurity requirements in Georgia Tech’s contracts with the Department of Defense (DOD) and articulated its position that cybersecurity requirements were “material” to payment decisions on government contracts. As discussed further below, Georgia Tech settled these allegations in 2025, leaving the government’s theories untested and its litigation strategy unknown. It appears likely, though, that the DOJ will continue to rely on private relators to initiate and pursue cybersecurity FCA cases.
NIST SP 800-171 featured prominently — The DOJ’s enforcement efforts have focused on the specific cybersecurity provisions included in defendants’ government contracts. In particular, several recent settlements have focused on compliance with National Institute of Standards and Technology (NIST) Special Publications (SP), including SP 800-171. NIST SP 800-171 calls for the adoption of safeguards for the handling of sensitive government information. In at least four 2025 settlements (Raytheon/Nightwing, MORSECORP, Aero Turbine/Gallant Capital Partners, and Georgia Tech), the DOJ alleged failure to implement NIST SP 800-171 framework. These follow a 2024 settlement with Pennsylvania State University (Penn State) in which a relator alleged that Penn State was required – but failed – to comply with NIST SP 800-171.
In the coming years, we may see even more cases involving NIST SP 800-171. In November 2025, the DOD began a three-year phased roll out of its final rule implementing the contractual requirements of the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program creates three compliance levels, based on the sensitivity of information that contractors handle. Under the CMMC, contractors who handle Controlled Unclassified Information (CUI) must implement the security requirements outlined in NIST SP 800-171 and must periodically assess (or obtain a third-party assessment of) their compliance with these requirements. Although the requirement to comply with NIST SP 800-171 is not new, the CMMC program will require additional assessments, affirmations, and certifications — including attestations of subcontractor compliance — that aim to increase defense contractors’ accountability.
These additional certifications — if false — could open a clearer pathway to liability under the FCA in cybersecurity cases involving defense contractors.
No cyberattack or data breach required for enforcement — The DOJ maintains that liability can arise even absent an actual cybersecurity incident. Specifically, in its July 2025 settlement agreement with Illumina, the DOJ asserted that the company’s “claims to the Agencies were false, regardless of whether any actual cybersecurity breaches occurred,” indicating its view that a false certification or undisclosed vulnerability is sufficient to establish FCA liability, even if no government information is improperly accessed.
The DOJ’s damages theory remains unsettled and untested — Settlement amounts in cyber FCA matters have varied widely – to date, ranging from $294,000 to nearly $15 million – and often represent a small fraction of the contract values. For example, Raytheon settled with the government for $8.4 million, even though the relator alleged that Raytheon was paid over $30 billion in contracts with the government for “cyber offensive capabilities.” Similarly, the relator in the MORSECORP case alleged that the defendant had received over $100 million from the government as a contractor and subcontractor, yet the DOJ settled with MORSECORP for just $4.6 million.
