Skip to main content
govconCyber

Enforcement, the False Claims Act & the Civil Cyber-Fraud Initiative

EnforcementReferencepublishedEffective:

How cybersecurity non-compliance is enforced — DOJ's Civil Cyber-Fraud Initiative, False Claims Act risk, and recent settlements.

Last reviewedJune 4, 2026Version v1

Overview

Cybersecurity requirements in federal contracts are not paperwork — they are enforced, increasingly through the False Claims Act (FCA). When a contractor certifies compliance it does not actually meet, the government (and whistleblowers) can treat that as a false claim. This page explains the main enforcement mechanisms and what recent cases show.

The DOJ Civil Cyber-Fraud Initiative (CCFI)

Launched in 2021, the CCFI uses the FCA to pursue contractors and grant recipients that:

1. knowingly provide deficient cybersecurity products or services, 2. knowingly misrepresent their cybersecurity practices or compliance, or 3. knowingly violate obligations to monitor and report cyber incidents.

The Initiative has accelerated. In the fiscal year ending September 2025, cyber-related matters accounted for roughly $52 million across nine settlements, part of record overall FCA recoveries, and the Department has reported that cybersecurity resolutions more than tripled in consecutive years. A majority of these cases began as qui tam (whistleblower) suits — often filed by insiders such as IT staff.

Recent Settlements

ContractorAmountYearCore allegation
Health Net Federal Services / Centene$11.25M2025Falsely certified compliance with cyber requirements
Raytheon (RTX) and affiliates$8.4M2025False certification of cybersecurity compliance
MORSE Corp$4.6M2025Noncompliance on Army and Air Force contracts
Penn State University$1.25M2024Misrepresented NIST 800-171 compliance
Verizon$4.0M2023Failure to meet required security controls

*(Settlements are not admissions of liability. Verify current case details against DOJ press releases before citing.)*

Other Enforcement Tools

Beyond the FCA, contractors face:

  • Contract termination, suspension, and debarment — losing current work and future eligibility.
  • Agency-specific enforcement — e.g., DoD withholding awards for missing or low SPRS scores.
  • Criminal statutes — the CFAA (18 U.S.C. § 1030) for unauthorized access.
  • Incident-reporting penalties — failing to report within required windows (DFARS 72 hours; CIRCIA and agency rules) is itself a compliance failure.

Practical Takeaways

The lesson of the case law is consistent: the risk is in the certification, not just the breach. Most settlements involve contractors that claimed a security posture they did not have, or failed to report known incidents. Keep your SPRS scores honest and current, document remediation in a POA&M, and never let a proposal overstate your controls.

This page summarizes publicly reported enforcement actions for educational purposes. It is not legal advice. If you face an enforcement matter, consult qualified counsel.

Sources

  • U.S. Department of Justice press releases (justice.gov); FCA annual recovery statistics
Was this page helpful?