Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Learn

Enforcement, the False Claims Act & the Civil Cyber-Fraud Initiative

How cybersecurity non-compliance is enforced — DOJ's Civil Cyber-Fraud Initiative, False Claims Act risk, and recent settlements.

Overview

Cybersecurity requirements in federal contracts are not paperwork — they are enforced, increasingly through the False Claims Act (FCA). When a contractor certifies compliance it does not actually meet, the government (and whistleblowers) can treat that as a false claim. This page explains the main enforcement mechanisms and what recent cases show.

The DOJ Civil Cyber-Fraud Initiative (CCFI)

Launched in 2021, the CCFI uses the FCA to pursue contractors and grant recipients that:

1. knowingly provide deficient cybersecurity products or services, 2. knowingly misrepresent their cybersecurity practices or compliance, or 3. knowingly violate obligations to monitor and report cyber incidents.

The Initiative has accelerated. In the fiscal year ending September 2025, cyber-related matters accounted for roughly $52 million across nine settlements, part of record overall FCA recoveries, and the Department has reported that cybersecurity resolutions more than tripled in consecutive years. A majority of these cases began as qui tam (whistleblower) suits — often filed by insiders such as IT staff.

Recent Settlements

ContractorAmountYearCore allegation
Health Net Federal Services / Centene$11.25M2025Falsely certified compliance with cyber requirements
Raytheon (RTX) and affiliates$8.4M2025False certification of cybersecurity compliance
MORSE Corp$4.6M2025Noncompliance on Army and Air Force contracts
Penn State University$1.25M2024Misrepresented NIST 800-171 compliance
Verizon$4.0M2023Failure to meet required security controls

*(Settlements are not admissions of liability. Verify current case details against DOJ press releases before citing.)*

Other Enforcement Tools

Beyond the FCA, contractors face:

  • Contract termination, suspension, and debarment — losing current work and future eligibility.
  • Agency-specific enforcement — e.g., DoD withholding awards for missing or low SPRS scores.
  • Criminal statutes — the CFAA (18 U.S.C. § 1030) for unauthorized access.
  • Incident-reporting penalties — failing to report within required windows (DFARS 72 hours; CIRCIA and agency rules) is itself a compliance failure.

Landmark Cases We've Covered

For deeper reads on the cases shaping this enforcement landscape, see our analyses of the Aerojet Rocketdyne $9M settlement — the case that proved cyber-FCA suits are litigable — the DOJ's suit against Georgia Tech over a false SPRS score, and the $11.3M Guidehouse / Nan McKay settlement. For the program-level overview, read our piece on the DOJ's Civil Cyber-Fraud Initiative.

Practical Takeaways

The lesson of the case law is consistent: the risk is in the certification, not just the breach. Most settlements involve contractors that claimed a security posture they did not have, or failed to report known incidents. Keep your SPRS scores honest and current, document remediation in a POA&M, and never let a proposal overstate your controls.

This page summarizes publicly reported enforcement actions for educational purposes. It is not legal advice. If you face an enforcement matter, consult qualified counsel.

Sources

  • U.S. Department of Justice press releases (justice.gov); FCA annual recovery statistics

Landmark cases

Recent settlements show how cybersecurity misrepresentations become False Claims Act exposure: the $11.3M Guidehouse / Nan McKay settlement over an unremediated vulnerability, Aerojet Rocketdyne's $9M cyber-FCA settlement, and the DOJ's Georgia Tech suit over an allegedly false SPRS score. Each is examined in our blog's Case Law series.

Beyond the False Claims Act

Cybersecurity failures and misrepresentations draw enforcement from several directions, not just the FCA. The FTC pursues unreasonable security and broken privacy promises under Section 5; the SEC has pursued cybersecurity-disclosure cases against public companies (see *SEC v. SolarWinds*); state attorneys general bring breach and privacy actions under state law (e.g., the Enzo Biochem and Meta/Texas settlements); and private plaintiffs file breach class actions — where the threshold fight is often Article III standing (*TransUnion*, *OPM*, *McMorris*). For contractors, the same incident can trigger several of these at once.

Export-Control and Supply-Chain Enforcement

Foreign-access rules carry their own, often severe, enforcement track. BIS and OFAC impose civil and criminal penalties for export-control and sanctions violations — the ZTE matter alone produced more than $1 billion in combined penalties, and Huawei's placement on the Entity List reshaped global supply chains. The Justice Department has also prosecuted trade-secret theft and undisclosed foreign-talent-program ties (the former China Initiative, wound down in 2022 but with 2025 revival efforts underway, including FCA-based investigations of research institutions). Contractors handling controlled technology should treat export-control compliance as carrying enforcement stakes on par with the FCA. (See the Foreign Access & Supply-Chain Controls primer.)

Was this page helpful?