Listen to the article
The Department of Justice (DOJ) continues to aggressively pursue civil cyber-fraud cases, reaffirming the federal government’s commitment to addressing vulnerabilities in contractor cybersecurity practices. In a recent development, the DOJ announced a $4.6 million False Claims Act (FCA) settlement with a Massachusetts-based company over cybersecurity deficiencies in its Department of Defense contracts.
The settlement, announced on March 26, stems from a qui tam complaint filed by a whistleblower who will receive approximately $850,000 of the settlement amount. The company must also pay an additional $198,000 for attorney’s fees and expenses as required by the FCA.
As part of the settlement agreement with the Boston U.S. Attorney’s Office, the company admitted responsibility for four significant violations that highlight critical compliance issues for any government contractor.
First, the company failed to implement required cybersecurity controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. These controls are designed to protect controlled unclassified information in non-federal systems and organizations. The company’s failures left its networks vulnerable to potential exploitation and data exfiltration.
Second, the company misrepresented its security control implementation status to the Department of Defense. Under Defense Federal Acquisition Regulation Supplement (DFARS) requirements, the company submitted a self-assessed score of 104 out of a possible 110 points for NIST compliance. However, a third-party consultant later determined the actual score was -142, indicating that only 22% of required controls were fully implemented. Despite learning of this discrepancy, the company waited nearly a year to correct its submission.
Third, the company failed to maintain consolidated written plans for its information systems as required by the Federal Risk and Authorization Management Program (FedRAMP). These plans should have described system boundaries, environments, security requirements, and connections to other systems.
Finally, the company used a cloud email hosting provider that was not contractually required to meet DFARS or FedRAMP requirements, nor did the company verify the provider’s compliance status. This oversight is particularly significant as the company used this cloud-based email system to exchange controlled unclassified information.
The case offers several important lessons for organizations working with government contracts. Companies must foster a cybersecurity culture where employee concerns are taken seriously. According to the complaint, the whistleblower—who served as the company’s Head of Security and Facility Security Officer—identified vulnerabilities “within weeks of arriving” in January 2021 and repeatedly raised issues with senior leadership before filing the qui tam complaint in January 2023.
The settlement also highlights the dangers of conducting security assessments without appropriate follow-through. While the company did engage a third-party consultant for a gap analysis, it failed to implement remediation plans in a timely manner, creating a documented record of known vulnerabilities that remained unaddressed.
Corporate governance issues also played a significant role. The complaint alleges institutional noncompliance and disregard for contractual obligations, with senior leadership viewing noncompliance as merely “a business risk.” This case underscores that cybersecurity risk assessment cannot be handled by IT departments alone but requires legal counsel involvement to properly qualify and quantify risks.
For government contractors, the evolving regulatory landscape demands vigilance. Several government agencies now require compliance with NIST control frameworks, and this trend is likely to expand. What begins as a government requirement often becomes a commercial expectation for handling sensitive information.
The case also emphasizes the importance of third-party vendor management. Companies must understand how data flows through their systems and ensure that all vendors handling sensitive information meet applicable regulatory requirements.
As cybersecurity regulations continue to evolve and enforcement actions increase, organizations must prioritize compliance to avoid similar investigations and settlements. This case serves as a stark reminder that cybersecurity deficiencies can lead to significant financial penalties and reputational damage, particularly for companies handling government contracts.
Verify This Yourself
Use these professional tools to fact-check and investigate claims independently
Reverse Image Search
Check if this image has been used elsewhere or in different contexts
Ask Our AI About This Claim
Get instant answers with web-powered AI analysis
Related Fact-Checks
See what other fact-checkers have said about similar claims
Want More Verification Tools?
Access our full suite of professional disinformation monitoring and investigation tools
16 Comments
Kudos to the DOJ and the whistleblower for uncovering these cybersecurity failures. Rigorous enforcement of the FCA is crucial for protecting sensitive government data.
This settlement highlights the DOJ’s commitment to addressing cybersecurity vulnerabilities in government contracts. Contractors need to ensure robust compliance with NIST standards to protect sensitive data.
Absolutely. Failing to implement required controls leaves the government exposed to cyber risks. Contractors must take cybersecurity seriously or face stiff penalties.
The False Claims Act is a powerful tool for the government to recoup losses from contractors who misrepresent their cybersecurity practices. This serves as a strong deterrent for would-be violators.
Agreed. The whistleblower incentive also encourages internal reporting of non-compliance, which is crucial for uncovering these issues.
This is an important development that underscores the DOJ’s commitment to using the FCA to drive improved cybersecurity practices among government contractors.
The FCA settlement highlights the critical importance of robust cybersecurity controls for any company doing business with the government. Contractors must take this issue seriously.
Absolutely. Proactive compliance and continuous improvement in cybersecurity are essential to avoiding costly penalties and protecting sensitive government data.
Cybersecurity should be a top priority for any government contractor. This settlement shows the DOJ will not tolerate cutting corners on protecting sensitive data and systems.
This settlement serves as a wake-up call for contractors – the DOJ is serious about holding them accountable for cybersecurity lapses that put government data at risk.
While costly, this settlement sends a clear message that the government takes cybersecurity very seriously. Contractors must make it a top priority or face serious consequences.
Agreed. The financial and reputational damage from FCA violations can be devastating for contractors. They need to get their cybersecurity house in order.
The FCA is an effective tool for rooting out cybersecurity vulnerabilities in the government supply chain. This settlement should prompt contractors to re-evaluate their security practices.
Absolutely. Proactive compliance is key to avoiding steep penalties and reputational damage down the line.
It’s concerning to see a company admit to such significant cybersecurity failures in its DoD contracts. Strict adherence to NIST standards is non-negotiable for government work.
Agreed. Contractors need to invest adequately in their cybersecurity posture to meet compliance requirements and protect critical government information.