Since its launch in 2021, the Civil Cyber-Fraud Initiative has worked to use the FCA to enforce cybersecurity requirements in federal contracts (even when contracting agencies themselves do not). Although many of the DOJ’s enforcement priorities shifted last year under the new Administration, cybersecurity enforcement continued apace. In 2025, the DOJ reached seven settlements with government contractors and grantees across industries including defense, information technology, higher education, and health care. As technology rapidly evolves and cyber threats intensify, the Civil Cyber-Fraud Initiative will remain an important tool for the government to motivate compliance with its contractual cybersecurity obligations and protect against cyberattacks and data breaches that could compromise national security and other government interests.
Civil Cyber-Fraud Initiative
On October 6, 2021, the DOJ announced its new Civil Cyber-Fraud Initiative (Initiative). The press release accompanying its launch explained that the DOJ intended to leverage its institutional FCA expertise “to combat new and emerging cyber threats in the security of sensitive information and critical systems.” By introducing the Initiative, the DOJ made clear its intent to use the FCA to target “cybersecurity related fraud by government contractors and grant recipients.” The DOJ has taken the position that contractual cybersecurity requirements are material to the government’s decision to make payments under an array of contracts, rendering knowing false certification of compliance with those requirements a violation of the FCA.
In 2025, the DOJ announced settlements in seven cases, with recoveries totaling nearly $50 million, for a total of 16 settlements and over $80 million in recoveries since the Initiative started. Although the government’s cyber FCA theories remain largely untested by the courts, settlements announced in 2025 provide key insight into the DOJ’s theories and priorities.
Key developments
Broad enforcement scope
Although defense contractors remain a focus of the Initiative, the DOJ’s cyber FCA settlements in 2025 have involved diverse industries, including technology, education, and health care. Notably, in 2025, two health care companies, Health Net Federal Services (HNFS) and Illumina, Inc. (Illumina) both reached cyber-related settlements with the DOJ. HNFS, which administered the Department of Defense’s (DOD) TRICARE health benefits program paid over $11 million for allegedly failing to timely scan for vulnerabilities and ignoring reports of cybersecurity risks during a 2015-2018 contract period. HNFS denied the government’s allegations and denied that any data loss occurred but agreed to resolve the dispute through a settlement agreement. Additionally, Illumina, a genetic testing company, paid $9.8 million for an alleged failure to disclose or remedy a “severe” vulnerability detected in its software by a third party.
Technology services companies have likewise been targeted for cybersecurity-related enforcement. Hill Associates, which settled a variety of FCA claims in 2025 for almost $15 million, contracted with the General Services Administration (GSA) to provide IT solutions to various federal agencies. Per the settlement agreement, Hill Associates billed the government for providing specialized cybersecurity solutions to government agencies despite not having passed the technical evaluation required by its contract with the GSA. This followed settlements by Verizon (2023), which found and disclosed vulnerabilities in its custom government solution, and another government contractor (2024), which allegedly failed to secure the personally identifiable information of Medicare beneficiaries.
Going forward, government contractors across industries – not just defense – can expect the DOJ to scrutinize compliance with cybersecurity provisions in government contracts.
Government complaints-in-intervention remain rare
To date, most DOJ settlements stem from private whistleblowers suits, with the DOJ investigating for long periods and intervening solely for the purposes of settlement. So far, the DOJ has only filed a formal complaint-in-intervention in one qui tam case, against Georgia Tech Research Corporation (Georgia Tech), in August 2024, which we discussed at length in last year’s FCA Guide. In the Georgia Tech case, the DOJ alleged that there was “no enforcement” of the cybersecurity requirements in Georgia Tech’s contracts with the Department of Defense (DOD) and articulated its position that cybersecurity requirements were “material” to payment decisions on government contracts. As discussed further below, Georgia Tech settled these allegations in 2025, leaving the government’s theories untested and its litigation strategy unknown. It appears likely, though, that the DOJ will continue to rely on private relators to initiate and pursue cybersecurity FCA cases.
NIST SP 800-171 featured prominently
The DOJ’s enforcement efforts have focused on the specific cybersecurity provisions included in defendants’ government contracts. In particular, several recent settlements have focused on compliance with National Institute of Standards and Technology (NIST) Special Publications (SP), including SP 800-171. NIST SP 800-171 calls for the adoption of safeguards for the handling of sensitive government information. In at least four 2025 settlements (Raytheon/Nightwing, MORSECORP, Aero Turbine/Gallant Capital Partners, and Georgia Tech), the DOJ alleged failure to implement NIST SP 800-171 framework. These follow a 2024 settlement with Pennsylvania State University (Penn State) in which a relator alleged that Penn State was required – but failed – to comply with NIST SP 800-171.
In the coming years, we may see even more cases involving NIST SP 800-171. In November 2025, the DOD began a three-year phased roll out of its final rule implementing the contractual requirements of the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program creates three compliance levels, based on the sensitivity of information that contractors handle. Under the CMMC, contractors who handle Controlled Unclassified Information (CUI) must implement the security requirements outlined in NIST SP 800-171 and must periodically assess (or obtain a third-party assessment of) their compliance with these requirements. Although the requirement to comply with NIST SP 800-171 is not new, the CMMC program will require additional assessments, affirmations, and certifications – including attestations of subcontractor compliance – that aim to increase defense contractors’ accountability. These additional certifications – if false – could open a clearer pathway to liability under the FCA in cybersecurity cases involving defense contractors.
No cyberattack or data breach required for enforcement
The DOJ maintains that liability can arise even absent an actual cybersecurity incident. Specifically, in its July 2025 settlement agreement with Illumina, the DOJ asserted that the company’s “claims to the Agencies were false, regardless of whether any actual cybersecurity breaches occurred,” indicating its view that a false certification or undisclosed vulnerability is sufficient to establish FCA liability, even if no government information is improperly accessed.
The DOJ’s damages theory remains unsettled and untested
Settlement amounts in cyber FCA matters have varied widely – to date, ranging from $294,000 to nearly $15 million – and often represent a small fraction of the contract values. For example, Raytheon settled with the government for $8.4 million, even though the relator alleged that Raytheon was paid over $30 billion in contracts with the government for “cyber offensive capabilities.” Similarly, the relator in the MORSECORP case alleged that the defendant had received over $100 million from the government as a contractor and subcontractor, yet the DOJ settled with MORSECORP for just $4.6 million.
Additionally, in the Georgia Tech matter, the only cyber FCA case in which the government has intervened, the DOJ alleged that “[w]hat [the DOD] received for its funds was of diminished or no value, not the benefit of its bargain.” Nonetheless, the government settled the matter for $875,000, even though it alleged that Georgia Tech had entered into more than $1.6 billion in government contracts. The settlement came after Georgia Tech filed a motion to dismiss that challenged the government’s theories of falsity and materiality. Of course, settlement negotiations are both confidential and complex, but the fact that the settlement amount is so far below the amount allegedly paid to the defendants suggests that the government acknowledged it received value under the contracts notwithstanding the alleged cybersecurity deficiencies. Notably, the core services delivered under the grants and contracts at issue in the matter were studies of cybersecurity protections – cybersecurity was not an ancillary requirement under a contract to deliver other services or items to the government. How the government characterizes damages, and how much it ultimately recoups, remains worth monitoring, especially in cases where no cybersecurity incident has occurred.
Looking ahead
Since the beginning of the second Trump Administration, the DOJ has shifted resources away from other Biden-era enforcement priorities but has shown no signs of slowing cybersecurity-related FCA enforcement efforts. Companies contracting with the government should prioritize robust cybersecurity controls, conduct regular testing and assessments, and maintain a vulnerability management program designed to appropriately address any known vulnerabilities to demonstrate strict compliance with contractual requirements, as robust enforcement is expected to continue. Periodic “mock audits” of adherence to cybersecurity representations also can help confirm alignment with contractual requirements and that the compliance program is operating within the company’s risk tolerance. And while cyberattacks are not a prerequisite for DOJ cyber FCA enforcement actions, post-incident reviews are a prudent step to reconfirm compliance with contractual cybersecurity terms when contractors inevitably experience cyberattacks or data breaches.
Although settlements in 2025 have made clear that government contractors across industries should be mindful of their cybersecurity obligations, defense contractors should take particular note. As the CMMC program rolls out over the next three years, defense contractors must remain vigilant to confirm that they are accurately attesting to compliance with cybersecurity requirements when submitting certifications required by the new rule.