Listen to the article
Cybersecurity Fraud Settlements Surge as DOJ Ramps Up Enforcement Against Government Contractors
Federal enforcement of cybersecurity requirements for government contractors has intensified dramatically, with the Department of Justice securing over $52 million across nine False Claims Act settlements in fiscal year 2025 alone. This marks a more than threefold increase in cyber-related recoveries over the past two fiscal years, signaling a major shift in the enforcement landscape.
The cases reveal alarming compliance failures across various sectors. In one instance, defense contractor MORSECORP scored a dismal -142 on a cybersecurity self-assessment but waited nearly a year—and until receiving a federal subpoena—before correcting its reporting. In another case, Illumina Inc. sold genomic sequencing systems with significant software vulnerabilities to federal agencies for seven years. A third settlement involved a university research lab conducting sensitive Air Force and DARPA cyber-defense work without basic antivirus protection on its computers.
The enforcement trend shows no signs of slowing. Since Deputy Attorney General Lisa Monaco launched the Civil Cyber-Fraud Initiative in October 2021, the DOJ has settled at least fifteen civil cyber-fraud cases under the False Claims Act. Notably, 60 percent of these settlements occurred in FY 2025. The initiative continues to expand its reach, with December 2025 marking what analysts identified as the first cyber FCA settlement extending to the subcontractor tier of the defense supply chain.
During a January 2026 conference, Deputy Assistant Attorney General Brenna Jenny, the DOJ’s top False Claims Act official, described the recoveries as reflecting a “significant upward trajectory” and emphasized that the government intends to maintain this enforcement pace. Jenny made a critical distinction that contractors should note: these cases “are not about data breaches” but “are premised on misrepresentations”—the gap between what organizations tell the government about their cybersecurity compliance and what they actually implement.
This framing lowers the enforcement threshold significantly. The DOJ doesn’t need to prove a security breach occurred; it only needs to show that a contractor or grantee certified compliance with cybersecurity requirements while knowing—or recklessly disregarding—that the certification was false.
The settlements reveal diverse violations across industries. Health Net Federal Services and parent company Centene Corporation paid $11.2 million for allegedly falsely certifying TRICARE cybersecurity compliance between 2015 and 2018. Raytheon Company, RTX Corporation, and Nightwing Group LLC paid $8.4 million for allegedly using noncompliant internal systems for defense information across 29 DoD contracts.
The Illumina settlement of $9.8 million represents the first FCA settlement focused specifically on a medical device manufacturer’s product-level cybersecurity design. This precedent has significant implications for any healthcare technology manufacturer selling to federal agencies.
Whistleblowers have played a crucial role in driving these enforcement actions. In FY 2025, whistleblower-filed lawsuits outnumbered DOJ-initiated cases by more than three to one. The 1,297 qui tam actions filed that year set a single-year record. For cybersecurity cases specifically, employees closest to compliance gaps are the ones most likely to report them, incentivized by potential rewards of 15 to 30 percent of any recovery.
A particularly significant development was the $1.75 million settlement with Aero Turbine Inc. and its private equity owner, Gallant Capital Partners—the first cyber-related FCA settlement to include a private equity sponsor as a defendant. This puts financial sponsors on notice that they inherit not just revenue but compliance obligations when acquiring companies with government contracts.
These enforcement trends coincide with the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, which became effective in November 2025. The program imposes contractual cybersecurity certification requirements on all entities doing business with the Department of Defense that handle Federal Contract Information or Controlled Unclassified Information. Each implementation phase creates new certification requirements that contractors must satisfy, with each certification potentially serving as grounds for False Claims Act liability if compliance is inadequate.
The Civil Cyber-Fraud Initiative now operates within a broader institutional framework. In early 2026, a new Department of Justice Division for National Fraud Enforcement was established, along with a Presidential Task Force to Eliminate Fraud. These developments signal continued institutional investment in fraud enforcement against federal contractors, with cybersecurity compliance firmly within scope.
For organizations holding federal contracts, the enforcement trend demands proactive measures. These include conducting independent cybersecurity assessments, ensuring system security plans are current and accurate, and establishing protocols for voluntary self-disclosure when issues arise.
The implications extend beyond defense contracting to any entity receiving federal funds—including universities, healthcare providers, and infrastructure contractors. As FY 2025’s record-setting statistics demonstrate, cyber FCA enforcement has evolved from experimental to operational, raising a critical question for all federal contractors: if the DOJ subpoenaed your cybersecurity compliance records tomorrow, would the documentation match the certifications you’ve already submitted?
Fact Checker
Verify the accuracy of this article using The Disinformation Commission analysis and real-time sources.
10 Comments
The examples cited, like the defense contractor with a -142 cybersecurity score and the university lab without basic antivirus protection, are quite alarming. It’s clear that some organizations have been dangerously lax in their approach to cybersecurity.
Agreed, those cases are incredibly concerning. It’s good to see the DOJ taking such a strong stance to hold contractors accountable and deter future compliance failures.
This enforcement trend is a wake-up call for the industry. Government contractors need to prioritize cybersecurity and ensure they are fully compliant with all relevant regulations and standards. Failing to do so can now result in severe financial and reputational consequences.
Well said. The DOJ is clearly signaling that it will not tolerate any complacency when it comes to protecting sensitive government data and systems.
I’m curious to see if this increased enforcement will drive broader improvements in cybersecurity practices across the government contracting industry. Proactive compliance will be crucial to avoid these types of enforcement actions.
That’s a good point. The DOJ’s actions may prompt contractors to reevaluate their security measures and make necessary investments to shore up their defenses.
This is an important development in cybersecurity enforcement. Government contractors need to take these compliance requirements seriously and proactively address vulnerabilities. The fines and settlements show the DOJ is cracking down hard on false claims and lax security practices.
Agreed. The DOJ is clearly making this a top priority, and contractors who try to cut corners on cybersecurity will face serious consequences.
The scale of these settlements is quite staggering. Over $52 million in just one fiscal year is a huge amount. This underscores how critical robust cybersecurity has become for organizations working with the federal government.
Absolutely. The financial penalties serve as a strong deterrent, but the reputational damage from these cases could be even more costly for contractors.