Cyber security fraud is a growing problem in the United States and around the world. Federal regulations and contracts require many government contractors to establish and maintain strong cyber security measures and to assess and accurately report their vulnerability to cyber attacks. Where contractors lie about their cyber security controls, they may violate the False Claims Act, a strong tool to combat cybercrime and the costs associated with inadequate cyber security.
Cyber Security Rules and Guidance
For the most part, the cyber security regulations a contractor must follow are dependent on the contracting government agency. All federal contractors, however, must abide with the Federal Acquisition Regulations (FARs). Department of Defense contractors must follow additional regulations such as those codified in the Defense Acquisition Regulation Supplement (DFARS) and the NASA FAR Supplement (NFS).
For instance, since December 31, 2017, all contractors who process, store, or transmit Controlled Unclassified Information (CUI) have been required to comply with DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting). Those regulations require defense contractors to implement cybersecurity controls that meet or exceed National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). Furthermore, contractors in the Defense Industrial Base (DIB) must implement DFARS 252.204-7021 Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements. These requirements apply equally to all contractors that process, store or transmit CUI regardless of size. Similarly, DIB subcontractors must certify their compliance with DoD cybersecurity standards to be eligible to work on DoD projects.
Companies who maintain the protected health information (PHI) of government beneficiaries are subject to additional regulations. For example, they must abide by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and CMS Information Systems Security & Privacy Policy.
Companies who fail to comply with these rules may be liable for claims under the federal False Claims Act.
What is the Civil Cyber-Fraud Initiative?
Cyber fraud poses a risk to businesses, national security, and taxpayers. On October 6, 2021, the Department of Justice introduced the Civil Cyber-Fraud Initiative (Initiative) to combat cyber fraud. The Initiative emphasizes civil enforcement to hold government contractors accountable for failing to meet cybersecurity standards or failing to report cybersecurity incidents and breaches. This ensures that sensitive government information is adequately protected and that taxpayer dollars are used appropriately.
The Initiative empowers whistleblowers to file lawsuits against entities or individuals endangering U.S. information by providing deficient cybersecurity products or services, misrepresenting cybersecurity practices, or violating monitoring and reporting obligations. In addition, the Initiative offers a powerful incentive for whistleblowers. Whistleblowers may receive up to 30% of the government’s financial recovery in successful cyber security fraud lawsuits. Reporting cyber fraud aids the government in addressing leaked sensitive material, recovering misappropriated funds, and informing businesses of breaches.
The False Claims Act – A Strong Tool Against Cyber Security Failures
In February 2024, then Assistant Attorney General Brian M. Boynton, provided some insight into how DOJ intended to use the False Claims Act in the fight against cyber crime.
The first priority I’d like to mention is cybersecurity. In October 2021, the department announced the Civil Cyber-Fraud Initiative. The initiative is dedicated to using the False Claims Act to bring enforcement actions when government contractors fail to follow federal cybersecurity requirements, putting government data and information systems at risk.
In partnership with agency inspectors general (IGs), we will continue to dedicate resources to investigating companies that fail to comply with their cybersecurity obligations. We expect these cases to continue to be a significant area of enforcement in the coming years.
Cyber Security Failures May Violate the False Claims Act
The False Claims Act can be used to address failures to meet cybersecurity standards when providing products or services to the government. These standards are usually specified in contracts. Violating them can harm the government.
Some examples of cybersecurity failures are: failing to implement required cybersecurity controls, failing to remediate cybersecurity gaps, and using commercial grade cloud services to store, process or communicate CUI.
Another way companies can violate the False Claims Act is by posting false cybersecurity assessment information with DoD. If a company misrepresents its security controls, monitoring practices, or breach response procedures, it can lead to the government making decisions based on false information.
Lastly, concealing or failing to promptly report a cybersecurity incident can also be a violation. DoD regulations require contractors to report cyber incidents within 72 hours of discovery. The government can hold contractors financially liable for violating those reporting requirements.
Settlements Under the Civil Cyber Fraud Initiative
In March 2025, MORSECORP, Inc. agreed to pay $4.6 million, plus interest, to resolve allegations brought by our client that it made false representations concerning compliance with required cybersecurity controls for safeguarding sensitive government information. This settlement is particularly notable because it represented the first major False Claims Act settlement with a defense contractor based on failures to implement required cybersecurity controls.
In May 2025, Raytheon Company, its parent RTX Corporation, and successor Nightwing Group agreed to pay $8.4 million to resolve allegations under the False Claims Act for failing to comply with cybersecurity requirements in 29 Department of Defense contracts.
In August 2025, Illumina, a biotechnology company headquartered in California, agreed to pay $9.8 million settlement to resolve allegations that it violated the False Claims Act. The case claims that Illumina knowingly sold genomic sequencing systems with significant cybersecurity vulnerabilities to federal agencies.
In July 2022, Aerojet Rocketdyne, Inc. paid $9 million to settle a case alleging it falsely certified its cyber security controls in order to win contracts.
We Help Whistleblowers Report Cybersecurity Failures
If you know that a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us. Our attorneys include one of Lawdragon’s 500 Leading Global Cyber Lawyers and several former federal prosecutors with experience safeguarding sensitive government information. We can discuss your concerns in a confidential and secure setting. We can also advise you on the best options to prevent critical information and data from falling into the wrong hands.