These 2 recent cases confirm DOJ is escalating cyber enforcement
These 2 recent cases confirm DOJ is escalating cyber enforcement
Publish Date: 2026-03-04 15:49:00
Source Domain: federalnewsnetwork.com
Using an unordered list, summarize the following article with between 4 and 8 key points. Terry Gerton As 2025 closed, the Department of Justice rolled out two major enforcement actions that involved allegedly deficient cybersecurity practices and DoD contractors. From your vantage point, what did these cases signal about DOJ priorities coming into 2026?
Andrew Liebler That’s a great question, Terry, and 2025 was going to be a very interesting year generally for cyber enforcement, because it was the first year of cyber enforcement under the second Trump administration. And the big question on the mind of government investigations, attorneys in this space was, what is the Trump administration going to do with the Biden administration’s civil cyber fraud initiative that was announced in October of 2021? The answer to that was a major increase in cyber enforcement, with nine announced settlements as part of the enforcement, capped off by the two settlements that you noted. And one of the big themes — not just from those last two enforcement actions of last year, but generally from the year — is that DoD contractors in particular were in the crosshairs of DOJ enforcement actions. And that primarily stems from their compliance with the DFARS 7012 clause in their contracts, which mandates NIST 800-171 cyber compliance. It’s very complex. There’s a lot of surface area for regulatory activity and enforcement, and that’s what those contractors saw in those actions.]]>
Terry Gerton Well, Mr. Liebler, let’s follow up with the first case, which was with Swiss Automation, and it was all around that DFARS 7012 clause. When federal contractors take a look at the details of this case, what should they be noting particularly?
Andrew Liebler I think they should be noting generally that DFARS 7012 is a very potent hook for enforcement in these cases. The Swiss Automation case was actually, in terms of the settlements that were announced last year, sort of a low-water mark of the settlements. That might be informed in part because the conduct at issue in that case took place over a more narrow timeline, comparatively speaking — when I say conduct, I mean sort of the noncompliance or alleged noncompliance — took place over a more narrow timeline, comparatively speaking, with some of the other settlements that have been announced that took place over years of noncompliance.
Terry Gerton And Mr. Taubin, I want to come to you to talk about that second case. It was a criminal indictment against a former senior manager at a cloud service contractor, alleging false claims tied to FedRAMP. So how significant is it for DOJ to pursue criminal fraud tied to cybersecurity representation?
Lance Taubin This was a very, very significant indictment and had some ripples around our environment and the folks that work in our space. Because the criminal nature of this and also the knowing representations over years, concealing deficiencies to the Army during testing and demonstrations and the misleading representations, which is obviously the focus of an FCA claim and the cyber initiative. And I think the criminal nature of this is obviously incredibly serious and very different from the Swiss Automation case. But I think as you initially asked, what does this mean going forward? I think it’s really important that with CMMC coming into effect and with a phased timeline over the next few years, there are more opportunities and more requirements to issue statements, official statements, annual attestations of sorts that could be viewed as material misrepresentations of their cybersecurity program and compliance. So there’s generally, we think, potentially more opportunities for claims to be brought given the additional representations necessary that you need to make to the government.
Andrew Liebler A criminal indictment of an employee, a former employee I should say, of a government contractor obviously is a pretty significant and unique occurrence and especially, you now, compared to the five years of enforcement proceeding this. But it sort of underscores, and I think while it may be sort of an extreme case in and of itself, it does underscore the sensitivity around the representations that any contractor has to make to the government — in this case, it was the Army — when submitting a task order or any other representation to the government for a claim for payment. That can be a really sensitive position for government contractors to be in, because the representations that you’re making are complex. Sometimes they can be ambiguous. Sometimes they could be subject to differing opinions between the contractor and the agency. And while it’s sort of an extreme outcome for a criminal indictment to spring from that set of circumstances, it does point to probably the most fraught component of federal contracting and especially for any contractor who has a contract that has significant cyber compliance obligations baked into the agreement.
Terry Gerton I’m speaking with Andrew Liebler and Lance Taubin, partners at Alston Bird. Mr. Taubin, let me come back to you. You mentioned the False Claims Act. These two cases are kind of different from what typically pops up as False Claims Act. How would you interpret the variability, especially related to cyber claims and relative to the False Claims Act?
Lance Taubin I think it comes back to — they’re different cases for sure, and the conduct was quite different — but I think they have a common theme of failure to comply or material misrepresentation of cybersecurity posture and compliance with your contractual obligations. And one was, potentially significantly in some people’s opinions, more egregious than the other and higher contract value and more significant repercussions. But I think from an FCA case, it all comes down to, what are your cybersecurity obligations? As Andrew mentioned, it’s not always black and white, what your obligations are. What attestations have you made to government? In what form? And does that have a material impact on the government and the agency? So I do think that there are some common themes despite the difference of severity of activity.]]>
Terry Gerton If you were a contractor right now who might see yourself in one of these cases or one of the others that DOJ brought in 2025, what actions should you be taking right now to reduce your risk of getting caught up in this net?
Lance Taubin This is going to sound so simple but know what your obligations are. And it’s not simple. It really isn’t. Government contracts are not very clear sometimes. Really important to know your obligations, and the government will be transparent with you and have that open conversation. Engage the right stakeholders to build your compliance program. That should not just be information security or IT individuals. That needs to involve a cross-functional group: legal, financial, other IT and infosec, product, developers, etc. There could be various different individuals, but there’s got to be a team. Cybersecurity compliance is not a one team; it can’t be narrow just for information security teams or IT professionals. And I would say before you have to make an attestation or submit cybersecurity artifacts to prove your compliance, do a test run. Understand where you come out. Where are your strengths, where are your weaknesses, where are there gaps? There’s no perfect cybersecurity program. There’s going to be gray areas from a compliance perspective, particularly with a complex cyber framework — DFARS 7012, NIST 800-171 — it’s complex and it’s not black and white. But understand and go into this with eyes wide open.
Terry Gerton And Mr. Liebler, where do you think these trends point to in 2026? Are we going to be seeing more of these kinds of criminal investigations or generally heightened security or focus on cybersecurity attestations?
Andrew Liebler I think so. I think that there are a lot of trends that you can pull from this. One is the enforcement apparatus between the DOJ and the agencies has gotten more sophisticated. These investigations require a lot of resources, they require cooperation between the agencies, they require subject matter expertise. And that’s being built through these investigations. When we see these settlements and announced cases, that’s the tip of the iceberg. There are many, many more investigations that are underway and companies in all areas of the market that are engaged in these discussions with the regulators at the moment. So there’s a lot happening here. I think one other interesting trend, though, from last year that certainly could continue in the future is just the rise of cyber whistleblowers. Many of the cases that were settled last year began as sealed, what are called qui tam cases, so False Claims Act cases brought by private whistleblowers. Oftentimes those are former IT employees, product managers, quality control employees. And a common refrain in their allegations is, “I identified cyber deficiencies in my company, I tried to raise concerns internally, and I was ignored or rebuffed by the rest of the company.” And so I think when you’re considering, if you are a contractor, among the things that you can do to try and sort of insulate yourself from becoming the subject of enforcement is to make sure that your internal reporting structures are behaving as they should. Do employees with oversight have a reliable means of raising concerns about cyber compliance and preparedness, and what happens when they raise those concerns? I think the last thing is, can they do that confidentially if they need to, if they have a real material concern? So that the company can deal with it internally before it turns into a qui tam case and eventually a government investigation.
Terry Gerton That’s really smart advice. And Mr. Taubin, let me give you the last word.
Lance Taubin One more item I would add, which I think is a really interesting and unique trend at the DOJ: Unlike other state and federal regulators where we typically see enforcement actions on the cyber side following a significant data breach, the trend here is not focused on organizations that incurred a data breach or cybersecurity attack. It’s really focused on misrepresentations and material noncompliance with cybersecurity obligations. A data breach doesn’t necessarily have to happen. And that’s a unique trend and something that I think is important to understand going forward.Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
