Skip to main content
govconCyber
Case Law

The DOJ's Civil Cyber-Fraud Initiative: Enforcement Cases and What They Mean

DOJ's cyber-fraud enforcement is surging. Recent False Claims Act settlements show the real risk is the false certification.

Brandon Hancock, J.D., CMMC-RPPublished May 6, 2026Updated June 8, 20267 min read

When the Department of Justice launched its Civil Cyber-Fraud Initiative (CCFI) in 2021, some contractors treated it as a press release. By 2026, the settlement numbers have ended that debate. Cyber enforcement through the False Claims Act (FCA) is real, growing, and increasingly driven by whistleblowers inside contractors' own walls.

How the Initiative Works

The CCFI uses the FCA to pursue contractors and grant recipients that:

1. knowingly provide deficient cybersecurity products or services, 2. knowingly misrepresent their cybersecurity practices or compliance, or 3. knowingly fail to monitor and report cyber incidents as required.

The FCA's power comes from two features: treble damages plus per-claim penalties, and its qui tam provision, which lets private whistleblowers sue on the government's behalf and share in the recovery.

The Numbers Are Climbing

In the fiscal year ending September 2025, cyber-related matters made up roughly $52 million across nine settlements, part of record overall FCA recoveries — and DOJ has reported that cybersecurity resolutions more than tripled in consecutive years. Notably, a majority of 2025's cyber settlements began as whistleblower suits, frequently filed by IT and security staff who saw the gap between what was certified and what was real.

Cases Worth Knowing

  • Health Net Federal Services / Centene — $11.25M (2025). Allegations of falsely certifying compliance with cybersecurity requirements on a federal health contract.
  • Raytheon (RTX) and affiliates — $8.4M (2025). Allegations of submitting claims that falsely certified cyber compliance.
  • MORSE Corp — $4.6M (2025). Alleged noncompliance with cybersecurity requirements on Army and Air Force contracts.
  • Penn State University — $1.25M (2024). Alleged misrepresentation of NIST 800-171 compliance.
  • Verizon — $4M (2023). Alleged failure to meet required security controls.

*(Settlements are not admissions of liability.)*

The Common Thread

Read the cases together and a pattern emerges: the liability is in the certification, not merely the breach. Contractors got into trouble for claiming a security posture they didn't have, submitting inflated SPRS scores, or failing to report known incidents. A real breach with honest reporting is a security problem; a false certification is a fraud problem — and the FCA punishes the latter far more harshly.

How to Reduce Your Exposure

  • Keep certifications honest. Your SPRS score should reflect reality, not aspiration.
  • Document everything. A current self-assessment and a dated POA&M show good faith.
  • Report on time. Meet the DFARS 72-hour window and any agency or CIRCIA obligations.
  • Mind your proposals. Past-performance and technical volumes that overstate controls can become the basis of a claim.
  • Listen internally. Many qui tam suits follow ignored internal complaints — take them seriously.

Key Takeaways

  • CCFI enforcement is accelerating, with settlements now routinely in the millions.
  • Whistleblowers drive most cases — internal culture matters.
  • The fix is unglamorous: accurate scores, documented remediation, and timely reporting.

For more, see the Enforcement page and our guide to DFARS 252.204-7012.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Case LawThree State AGs, One $4.5M Breach Settlement: The Enzo Biochem LessonNew York, New Jersey, and Connecticut jointly settled with Enzo Biochem for $4.5M over a ransomware breach — a reminder that state AGs enforce 'reasonable security.'August 30, 2024 · 6 min readCase LawMeta's $1.4B Biometric Settlement: Why Contractors Using Face and Fingerprint Tech Should CareTexas extracted a record $1.4B from Meta over biometric data. The case is a warning for any contractor deploying facial recognition or fingerprint access controls.July 30, 2024 · 5 min readCase Law$11.3M Cyber-Fraud Settlement: What the Guidehouse and Nan McKay Case Teaches ContractorsGuidehouse and a subcontractor paid $11.3M to settle False Claims Act allegations over cybersecurity failures on a federally funded contract. Here is what went wrong — and how to avoid it.June 17, 2024 · 7 min read