When Aero Turbine and its private equity owner discovered they had shared sensitive defense files with an unauthorized Egyptian software firm, they told the government. The DOJ noticed — and said so publicly.
On July 31, 2025, the Department of Justice announced that Aero Turbine Inc. and its private equity firm Gallant Capital Partners LLC agreed to pay $1.75 million to resolve False Claims Act liability for cybersecurity violations on a Department of the Air Force contract — and explicitly credited their voluntary self-disclosure, cooperation, and remedial action as factors that shaped the outcome. The case is the clearest statement yet from the Civil Cyber-Fraud Initiative that how a contractor responds to a discovered violation affects what the government does with it.
What Happened
Aero Turbine Inc. is an aircraft component company based in Stockton, California. Gallant Capital Partners LLC, a Los Angeles-based private equity firm, is its owner.
The DOJ alleged two related failures under an Air Force contract:
First, from January 2018 to February 2020, Aero Turbine failed to implement certain cybersecurity controls required by its contract — specifically, controls in NIST Special Publication (SP) 800-171 that, if not in place, could enable significant exploitation of the company's system or exfiltration of sensitive defense information.
Second, and more specifically: in June and July of 2019, Aero Turbine and Gallant failed to control the flow of sensitive defense information. They provided a software company based in Egypt — and that company's foreign citizen personnel — with files containing sensitive defense information. Those individuals were not authorized to receive that information under the Air Force contract.
After the issues came to light, Aero Turbine and Gallant provided the government with multiple written self-disclosures, cooperated fully with the government's investigation, and took prompt remedial action. The DOJ explicitly acknowledged these steps and stated that the company and its PE firm received credit for cooperating with the government.
(A settlement is not an admission of liability.)
Why the Self-Disclosure Credit Matters
The DOJ's Assistant Attorney General for the Civil Division made the point directly in the press release:
"When defense contractors fail to comply with cybersecurity requirements, they can mitigate the consequences by making timely self-disclosures, cooperating with investigations, and taking prompt remedial measures."
That statement — a public articulation of a credit framework for cybersecurity FCA cases — is meaningful guidance. It tracks the approach the DOJ has used in other False Claims Act contexts (healthcare, procurement fraud) and signals that the Civil Cyber-Fraud Initiative will apply the same framework: self-disclosure is not a get-out-of-jail-free card, but it is a recognized mitigating factor.
For contractors, the practical read is this: discovering a cybersecurity compliance failure and disclosing it promptly produces a materially different outcome than waiting for the government — or a whistleblower — to find it first. Aero Turbine paid $1.75 million. Other companies in similar circumstances, without the self-disclosure credit, have paid significantly more.
The Foreign-Access Dimension
The second part of the Aero Turbine fact pattern — sharing sensitive defense files with an Egyptian software firm and its foreign citizen personnel — is worth examining separately.
This is not primarily a NIST 800-171 controls story. It is a CUI access control and flowdown story. The contract presumably included restrictions on who could access sensitive defense information; the software company and its personnel were not authorized recipients. Whether or not the Egyptian firm was a formal "subcontractor," the flow of controlled information to unauthorized foreign nationals represents the kind of access control failure that the government treats as among the most serious categories of cybersecurity violation.
Several NIST SP 800-171 requirements address exactly this scenario: limiting system access to authorized users (3.1.1), limiting access to types of transactions and functions (3.1.2), controlling information flows (3.1.3), and controlling access to CUI in external systems (3.1.20). The facts here suggest a gap in the operational discipline of tracking who, exactly, has access to controlled data when external parties are brought in for software support.
This is a pattern that repeats in the defense industrial base. Contractors hire outside software developers, integrators, or support firms without fully analyzing whether those arrangements trigger CUI handling obligations — or without flowing down the contractual restrictions on access.
What This Means for Contractors
1. The self-disclosure path exists and the DOJ has confirmed it is available for cybersecurity violations. If your company discovers a gap — a NIST 800-171 control failure, an unauthorized access event, a data handling error involving sensitive defense information — assess it quickly and involve counsel early. Prompt, structured self-disclosure has a demonstrated record of producing better outcomes than the alternative.
2. Treat external software support arrangements as a CUI access analysis trigger. When you bring in a third-party firm to support systems that handle controlled information, you need to confirm whether those individuals are authorized to access that information and whether your contract requires you to flow down cybersecurity handling requirements. The flowdown obligations for prime contractors and subcontractors are a critical piece of this analysis.
3. PE firms and corporate parents are not insulated from FCA liability. Gallant Capital Partners was a named settling party here. Private equity firms that own defense contractors can face direct FCA exposure for compliance failures in portfolio companies, particularly when they are involved in management decisions that affect contract performance.
4. Cybersecurity compliance history is a material due diligence item. The Aero Turbine conduct predated Gallant's ownership period in some respects, but the PE firm was named as a party. Buyers and investors in defense contractor businesses should treat prior-period cybersecurity compliance failures — including any open incidents or potential self-disclosure obligations — as material to valuation and deal structure.
Where This Fits
The Civil Cyber-Fraud Initiative now has a documented record of settlements at multiple size points, across multiple compliance frameworks, and with multiple legal theories. The Aero Turbine case adds two data points the prior cases did not clearly establish: that voluntary self-disclosure is a recognized credit factor in cybersecurity FCA cases, and that access control failures involving foreign nationals are squarely in scope.
For contractors assessing their obligations, the Find My Requirements tool and the Compliance Roadmap Assessment are starting points.
Key Takeaways
- Aero Turbine and Gallant Capital agreed to pay $1.75 million to resolve FCA allegations tied to NIST SP 800-171 control failures and unauthorized transmission of sensitive defense files to an Egyptian software firm and its foreign national personnel — with the DOJ publicly crediting voluntary self-disclosure, cooperation, and remediation as factors in the outcome.
- The DOJ explicitly stated that contractors who discover cybersecurity violations "can mitigate the consequences by making timely self-disclosures, cooperating with investigations, and taking prompt remedial measures" — the clearest articulation to date of a self-disclosure credit framework for Civil Cyber-Fraud Initiative cases.
- Private equity firms that own defense contractors are not shielded from FCA liability; Gallant Capital was a named settling party, reinforcing that PE ownership structures do not insulate investors from compliance failures in portfolio companies.