Listen to the article
In a significant enforcement trend, the Justice Department has intensified its pursuit of federal contractors violating cybersecurity requirements under the False Claims Act since January 2025. The Trump administration has announced six settlements in the past 11 months alone, accounting for nearly half of the 14 total settlements since the Civil-Cyber Fraud initiative was launched in 2021.
Sara McLean, former assistant director of the DOJ Commercial Litigation Branch’s Fraud Section and now a partner with Akin, notes a distinct shift in enforcement priorities. “I think there are going to be a lot more of these announcements. There’s been a huge uptick just since the beginning of the administration. That is just absolutely going to continue,” McLean said during Federal News Network’s Risk & Compliance Exchange 2025.
According to McLean, cybersecurity enforcement has become an integral part of the Justice Department’s daily operations. “Cyber enforcement is now embedded in what the Justice Department does every day. It’s described as the bread and butter by leadership,” she explained.
Recent high-profile settlements include an $875,000 agreement with Georgia Tech Research Corp. in September and a $1.75 million settlement in August with Aero Turbine Inc. (ATI), an aerospace maintenance provider, along with Gallant Capital Partners, a private equity firm that held a controlling stake in ATI during the relevant period.
McLean emphasized that False Claims Act allegations typically focus on reckless disregard for cybersecurity rules rather than simple mistakes. New patterns have emerged in recent cases, including issues related to medical device security and the qualifications of cyber workers performing on government contracts.
The Civil-Cyber Fraud initiative, launched in 2021 following President Biden’s executive order directing agencies to improve cybersecurity efforts, now has approximately 130 lawyers working in coordination with U.S. attorney’s offices and agency inspectors general. The initiative aims to ensure contractors and grantees meet government cybersecurity requirements while protecting sensitive information and ensuring a level playing field among vendors.
Investigations typically begin with an inspector general review, prompted either by a whistleblower filing (qui tam lawsuit) or a traditional review of contracts and grants. McLean described a collaborative process between agencies and DOJ: “DOJ is making the decision, but it’s based on the recommendation of the agencies and with the total support of the agencies.”
The False Claims Act’s scope extends beyond primary contractors to include subcontractors, assessors, private equity companies, and even individuals who cause false claims to be submitted. McLean warned that the law requires only reckless disregard, not intentional fraud, to trigger liability.
“It’s critically important for anyone doing business with the government, especially those who are signing a contract and agreeing to do something, to make sure that they understand what that is, especially in the cybersecurity area,” McLean cautioned. “What they’ve signed on to can be quite complicated… signing on the dotted line without that understanding is just a recipe for getting into trouble.”
For companies discovering compliance issues, McLean noted that DOJ offers credit in settlements for self-disclosure, cooperation, and remediation. This approach recognizes that cybersecurity awareness has increased over time, and some companies may need to address past deficiencies.
McLean specifically highlighted the Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC) as an area requiring vigilant compliance. Certifying CMMC compliance without proper understanding could be considered “deliberate ignorance” or “gross negligence.”
“Signing a certification when the information is not true starts to look like a lie, which starts to look like the more intentional type of fraud rather than a mistake,” McLean explained, emphasizing the importance of thorough verification before making certifications.
As federal contractors navigate increasingly complex cybersecurity requirements, the Justice Department’s aggressive enforcement approach signals that compliance isn’t merely a technical obligation but a legal necessity with significant financial consequences for those who fall short.
Fact Checker
Verify the accuracy of this article using The Disinformation Commission analysis and real-time sources.
16 Comments
I’m curious to learn more about the specific cybersecurity requirements that these federal contractors are accused of violating. The details could provide useful insights for others in the industry.
It’s encouraging to see the DOJ taking such a firm stance on this issue. Cybersecurity threats are only becoming more sophisticated, so robust compliance is essential for government contractors.
The False Claims Act seems like a powerful tool for holding contractors accountable. I wonder if the DOJ will continue to expand its use in this area, or if new legislation may be needed to further strengthen cybersecurity requirements.
That’s an interesting question. The DOJ’s approach suggests they’re maximizing the tools at their disposal, but new laws or regulations could provide even stronger enforcement mechanisms.
This article highlights the importance of proactive cybersecurity measures for any organization, not just government contractors. The financial and reputational risks of non-compliance are simply too high to ignore.
The False Claims Act seems like an effective tool for enforcing cybersecurity requirements. Holding contractors accountable through financial penalties could drive better compliance across the industry.
It’s good to see the DOJ using all the tools at their disposal to address this critical issue. Proactive enforcement is crucial to protect sensitive government data.
Interesting to see the DOJ cracking down on federal contractors’ cybersecurity compliance. Sounds like a concerted effort to ensure proper safeguards are in place for sensitive government data and systems.
Agreed, cybersecurity has become a major priority for the DOJ. These settlements suggest they’re taking a hard line on contractors who fail to meet their obligations.
I wonder if these settlements will have a deterrent effect, encouraging other contractors to review and strengthen their cybersecurity measures. Proactive steps could help them avoid similar penalties.
That’s a good point. The DOJ’s aggressive enforcement is likely intended to drive widespread improvements in cybersecurity practices across the industry.
This article highlights the growing importance of cyber compliance, not just for government contractors but for any organization handling sensitive data. The risks of non-compliance are significant.
The DOJ’s focus on cybersecurity compliance is a clear sign of the times. With the increasing frequency and sophistication of cyber attacks, it’s critical that companies take this issue seriously and invest in robust security measures.
Absolutely. Cybersecurity is no longer just an IT issue – it’s a strategic priority that requires engagement at the highest levels of an organization.
The surge in settlements since the start of the new administration suggests a real shift in priorities. Cybersecurity must be a top concern for any company doing business with the government.
Absolutely, the DOJ is clearly signaling that lax cybersecurity practices will no longer be tolerated. Contractors need to take this threat very seriously.