Listen to the article
Cybersecurity enforcement remained a top priority for the Department of Justice in 2025, as its Civil Cyber-Fraud Initiative continued to drive significant False Claims Act settlements across multiple sectors. While enforcement actions primarily targeted defense contractors, a notable case involving a biotechnology company signals expanding scrutiny in the healthcare industry.
The DOJ’s initiative, launched in October 2021, has now matured into a formidable enforcement mechanism, with 2025 marking its most active year to date. The settlements highlight the federal government’s growing focus on ensuring contractors strictly adhere to cybersecurity regulations, including NIST standards, DFARS requirements, and FedRAMP protocols.
In March 2025, Massachusetts-based defense contractor MORSE Corp agreed to pay $4.6 million to resolve allegations stemming from a whistleblower complaint. The company allegedly failed to implement required NIST SP 800-171 cybersecurity controls and didn’t ensure subcontractors met similar requirements, violating DFARS regulations.
Georgia Tech Research Corporation reached an $875,000 settlement in October over allegations it failed to implement anti-virus tools required by NIST standards and submitted an inflated security assessment score to the Department of Defense. The case raised interesting questions about the “fundamental research” exception to certain cybersecurity regulations, though the settlement occurred before the court could provide clarification on this potentially significant issue for academic medical centers.
Perhaps most consequential for the healthcare sector was a $9.8 million settlement with a diagnostic company that develops DNA sequencing technologies. The company allegedly sold sequencers with serious software vulnerabilities that could have exposed sensitive genetic information to unauthorized access. According to the DOJ, the company knowingly failed to implement adequate cybersecurity protections over a seven-year period while falsely claiming compliance with ISO and NIST standards. The settlement included $4.3 million in restitution and appeared to involve a multiplier exceeding the typical 2x damages standard—suggesting the DOJ viewed these violations as particularly serious.
The year’s enforcement actions revealed several critical patterns that companies should heed. First, the DOJ continues to reward self-disclosure and cooperation. Defense contractor Aero Turbine Inc. (ATI) and its private equity owner Gallant Capital Partners reached a $1.75 million settlement following their voluntary disclosure of cybersecurity failures. Their extensive cooperation, including identifying responsible individuals and promptly remedying issues, resulted in a reduced damages multiplier of approximately 1.5x rather than the standard 2x penalty.
Second, successor liability has emerged as a significant risk in corporate transactions. In May, DOJ announced an $8.5 million settlement with Raytheon Company, RTX Corporation, and Nightwing entities over Raytheon’s alleged failure to implement a compliant System Security Plan. Notably, Nightwing was named as a “successor in liability” despite acquiring Raytheon’s cybersecurity business three years after the relevant violations occurred. This underscores the importance of thorough due diligence during acquisitions and prompt disclosure if compliance issues are discovered post-transaction.
Third, the stakes continue to rise as criminal charges enter the enforcement toolkit. In December, a grand jury indicted a former senior manager at a government contractor for allegedly carrying out a multi-year scheme to mislead federal agencies about security controls in a cloud platform used by the U.S. Army. The charges included major government fraud, wire fraud, and obstruction of federal audits.
For healthcare organizations contracting with government agencies, these cases reinforce several best practices: regular auditing of cybersecurity compliance, prompt response to reported concerns, thorough due diligence in acquisitions, and swift self-disclosure of discovered shortcomings.
Industry observers anticipate enforcement will intensify in 2026, particularly in the healthcare sector where sensitive data protection is paramount. As artificial intelligence technologies become more prevalent, they will likely create new cybersecurity challenges that further complicate compliance efforts.
Private equity investors should remain vigilant about potential False Claims Act exposure when managing portfolio businesses, particularly those contracting with government agencies. The inclusion of Gallant Capital in the ATI settlement demonstrates that investors can face direct liability when involved in portfolio companies’ operational decisions.
Fact Checker
Verify the accuracy of this article using The Disinformation Commission analysis and real-time sources.
18 Comments
The $4.6 million settlement with MORSE Corp highlights the steep financial consequences for failing to implement required cybersecurity controls. Subcontractor compliance is clearly an area of scrutiny.
It’s encouraging to see the DOJ taking a comprehensive approach and ensuring the entire supply chain meets cybersecurity obligations. This will help strengthen overall system security.
The expansion of this initiative into the healthcare industry is an interesting development. Cybersecurity is just as vital in the medical field, where sensitive patient data must be protected.
It will be worth monitoring how the DOJ’s focus evolves across different sectors in the coming years. Upholding cybersecurity standards should be a top priority for all government contractors.
The DOJ’s emphasis on NIST, DFARS, and FedRAMP compliance underscores the government’s commitment to robust cybersecurity practices across its contractor network. Upholding these standards is critical for safeguarding sensitive information.
As the cybersecurity landscape continues to evolve, it will be important for the DOJ to stay nimble and adapt its enforcement strategies accordingly. Maintaining a strong deterrent is essential.
It’s interesting to see the DOJ’s cybersecurity enforcement efforts expanding beyond the traditional defense sector into industries like healthcare. This suggests a broad, cross-cutting focus on data protection.
These settlements provide a clear roadmap for contractors on the specific cybersecurity controls and standards they need to implement to avoid False Claims Act violations. Proactive compliance is key.
The steady stream of settlements highlights the DOJ’s determination to hold contractors accountable for cybersecurity lapses. Strict adherence to regulations is non-negotiable, and the financial penalties can be substantial.
Proactive cybersecurity measures and a culture of compliance should be a top priority for all government contractors. The consequences of failing to meet these standards can be severe.
The continued enforcement of cybersecurity regulations under the False Claims Act is an important step to ensure government contractors are upholding their obligations. Strict adherence to NIST, DFARS, and FedRAMP standards is critical for safeguarding sensitive data and systems.
These settlements send a clear message that the government takes cybersecurity violations seriously. Contractors must prioritize robust security measures or face significant penalties.
Given the sensitive nature of government data and systems, it’s understandable that the DOJ is taking such a strong stance on cybersecurity. Protecting against cyber threats should be a top priority for all contractors.
The recent settlements provide helpful guidance for contractors on the specific cybersecurity controls and protocols they need to have in place to avoid penalties. Proactive compliance is key.
The $875,000 settlement with Georgia Tech Research Corporation is another example of the DOJ’s commitment to enforcing cybersecurity regulations. Even prestigious academic institutions must adhere to these standards.
This enforcement action demonstrates the government’s determination to hold all contractors accountable, regardless of their size or reputation. Robust cybersecurity is a non-negotiable requirement.
The DOJ’s Civil Cyber-Fraud Initiative has clearly gained significant momentum, with 2025 marking its most active year to date. Contractors should take note and ensure their cybersecurity practices are up to par.
Staying on top of the evolving cybersecurity landscape and regulatory requirements will be essential for government contractors. Vigilance and continuous improvement are crucial in this space.