**On July 5, 2022, a federal court approved a $9 million settlement in *United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings, Inc.*, ending a seven-year False Claims Act suit over a defense contractor's cybersecurity certifications.** The case is foundational for government contractors because it was among the first cyber-fraud FCA actions to survive repeated dismissal attempts and reach the courthouse steps of an actual trial — establishing, in practice, that misrepresenting your cybersecurity posture to the government can be a false claim.
What the Case Was About
The suit, filed in the Eastern District of California (No. 2:15-cv-02245), alleged that Aerojet Rocketdyne falsely certified to the government its level of compliance with federal cybersecurity requirements — among them DFARS 252.204-7012, the clause requiring defense contractors handling covered defense information to implement the 110 cybersecurity controls in NIST SP 800-171 and to report cyber incidents.
The most striking allegation was about the gap between what was certified and what was true. According to the complaint, external auditors were able to compromise the contractor's network within four hours — obtaining all user accounts and passwords, reaching attorney-client privileged documents, and even remotely viewing and listening to security-camera footage at a company facility. At the same time, the company was allegedly certifying that it met applicable cybersecurity requirements.
The Whistleblower at the Center
Like the later Georgia Tech case, this one came from the inside. The relator was Brian Markus, the company's former senior director of cybersecurity compliance — exactly the person positioned to know whether the certifications matched reality. He brought the action under the False Claims Act's *qui tam* provisions, which let private parties sue on the government's behalf and recover a share (here, up to 30 percent) of any proceeds.
The procedural history matters. The defendant tried repeatedly to end the case, and the DOJ filed a statement of interest in October 2021 addressing the FCA legal issues raised on summary judgment. The suit survived, and the parties settled in 2022 only after trial had already begun in April — a signal to the contracting community that these cases are litigable and that courts will let them reach a jury. In the settlement, the contractor expressly denied any FCA violation but agreed to pay $9 million.
Why It Still Matters
Aerojet predates the DOJ's formal Civil Cyber-Fraud Initiative (announced October 2021) but became its template: cybersecurity representations are enforceable, insiders can and do blow the whistle, and the damages math under the FCA — treble damages plus penalties — makes the exposure severe. It also lands squarely on the same pressure point as today's compliance regime. Since November 2020, DFARS 252.204-7020 has required most defense contractors to self-assess against NIST SP 800-171 and post a score in the Supplier Performance Risk System (SPRS). Every one of those posted scores is a representation — the very kind of statement at issue in Aerojet.
What Contractors Should Take Away
- Certify what you can prove. A compliance certification is a factual claim about your environment, not a statement of intent. If you cannot demonstrate a control, do not represent that you meet it.
- Close the gap between paper and practice. A polished system security plan means nothing if auditors can own your network in an afternoon. The allegation that resonates with juries is the distance between the certification and the reality.
- Your compliance leaders are your first auditors. The relator here ran cybersecurity compliance. Listen to internal concerns and document how you resolve them.
- Treat your SPRS score with the same seriousness. It is the modern equivalent of the certification at issue in Aerojet — self-reported, and fully enforceable.
Key Takeaways
- *U.S. ex rel. Markus v. Aerojet Rocketdyne* settled for $9 million in July 2022 after seven years and the start of trial — a landmark showing that cyber-compliance misrepresentations can sustain a False Claims Act case.
- The relator was the company's own former senior director of cybersecurity compliance, and auditors allegedly breached the network within four hours while compliance was being certified.
- The lesson maps directly onto today's obligations: your DFARS 7012 certifications and SPRS score are enforceable representations — accuracy is the only safe posture.
See the broader picture on Enforcement & Penalties and our overview of the DOJ's Civil Cyber-Fraud Initiative; compare the parallel Georgia Tech false-SPRS-score suit and learn how the SPRS score actually works; then confirm what applies to your contracts with Find My Requirements.