GovConCyber Research
Cyber Enforcement Actions Hub
Cybersecurity enforcement is developing through settlements, court decisions, board decisions, agency actions, state attorney general matters, and public-sector contract remedies. This Hub collects the actions and landmark legal developments contractors should understand.
Featured actions
Landmark enforcement actions
Georgia Tech SPRS score and cybersecurity FCA matter
Shows that SPRS scores, SSPs, and assessment-related cyber representations can themselves become enforcement targets.
$875,000
Raytheon / Nightwing cybersecurity FCA settlement
Supports a hub theme that large defense and national-security contractors remain within active cyber-FCA focus.
$8,400,000
Health Net Federal Services / Centene TRICARE cybersecurity settlement
Shows vulnerability management, scanning, and SSP commitments can become FCA-relevant when incorporated into contract reporting.
$11,253,400
Penn State NIST SP 800-171 and SPRS cybersecurity settlement
Important for universities, research institutions, and labs that treat sponsored research compliance differently from traditional GovCon compliance.
$1,250,000
SEC v. SolarWinds and security-statement liability
Important for contractors whose public marketing, website security pages, and compliance statements are reviewed by agencies, customers, investors, or regulators.
Guidehouse / Nan McKay federally funded rental-assistance cyber settlement
Important because it bridges federal funding, state program administration, subcontractor roles, security testing, and public-benefits data.
$11,300,000
Verizon MTIPS cybersecurity-controls FCA settlement
Useful example of both enforcement exposure and the value of cooperation credit.
$4,091,317
Aerojet Rocketdyne cyber-FCA settlement
Landmark cyber-FCA matter showing that contractor cybersecurity representations can survive meaningful litigation and become settlement leverage.
$9,000,000
All actions
All 16 enforcement actions
Georgia Tech SPRS score and cybersecurity FCA matter
Shows that SPRS scores, SSPs, and assessment-related cyber representations can themselves become enforcement targets.
$875,000
Raytheon / Nightwing cybersecurity FCA settlement
Supports a hub theme that large defense and national-security contractors remain within active cyber-FCA focus.
$8,400,000
Health Net Federal Services / Centene TRICARE cybersecurity settlement
Shows vulnerability management, scanning, and SSP commitments can become FCA-relevant when incorporated into contract reporting.
$11,253,400
Penn State NIST SP 800-171 and SPRS cybersecurity settlement
Important for universities, research institutions, and labs that treat sponsored research compliance differently from traditional GovCon compliance.
$1,250,000
SEC v. SolarWinds and security-statement liability
Important for contractors whose public marketing, website security pages, and compliance statements are reviewed by agencies, customers, investors, or regulators.
Guidehouse / Nan McKay federally funded rental-assistance cyber settlement
Important because it bridges federal funding, state program administration, subcontractor roles, security testing, and public-benefits data.
$11,300,000
Verizon MTIPS cybersecurity-controls FCA settlement
Useful example of both enforcement exposure and the value of cooperation credit.
$4,091,317
Aerojet Rocketdyne cyber-FCA settlement
Landmark cyber-FCA matter showing that contractor cybersecurity representations can survive meaningful litigation and become settlement leverage.
$9,000,000
MORSE Corp Army and Air Force cybersecurity fraud settlement
Adds a mid-sized defense contractor example for cyber-FCA enforcement beyond only marquee primes.
$4,600,000
Enzo Biochem multistate health-data breach settlement
Illustrates state AG enforcement and practical controls expected for health/personal information—relevant to contractors handling similar state/local data.
$4,500,000
Texas $1.4B Meta biometric-data settlement
Not a government-contractor case, but a landmark state privacy enforcement action relevant to contractors building identity, video, AI, surveillance, public-safety, or biometric systems.
$1,400,000,000
Adapt Consulting v. GSA default termination burden of proof
Not a cyber-control case, but important enforcement-counterweight content: agencies must prove default and contractors can contest enforcement actions.
$97,907.41 awarded plus CDA interest
Jelly Bean Florida Medicaid enrollment website cybersecurity settlement
Small-vendor example showing cyber-FCA risk is not limited to defense primes.
$293,771
hiQ v. LinkedIn and public-data scraping under the CFAA
Relevant to public-sector AI, analytics, OSINT, and data vendors evaluating scraping/data acquisition risk.
Comprehensive Health Services unsecured medical-records settlement
Foundational Civil Cyber-Fraud Initiative settlement; important for health data and overseas support contractors.
$930,000
Van Buren and the CFAA 'exceeds authorized access' limit
Important for contractors defining insider misuse, credential abuse, scraping, monitoring, and employee access controls.
Why enforcement actions matter for contractors
Enforcement often turns on representations and documentation, not just technical gaps. A cybersecurity weakness becomes an enforcement risk when it is paired with a certification, SPRS score, SSP, contract clause, or proposal statement that says something different from what was actually implemented. The actions in this Hub illustrate that pattern across defense contractors, research institutions, healthcare contractors, public-benefits vendors, software suppliers, and state/local public-sector vendors.
Understanding these enforcement theories helps contractors treat compliance representations as the legal commitments they are — and build documentation, testing, and remediation practices that hold up under scrutiny.
Related GovConCyber resources
Stay current
New enforcement actions, explained for contractors
The GovConCyber newsletter covers new DOJ settlements, regulatory developments, and enforcement analysis — translated into what it means for contract compliance.
Subscribe to the newsletterEntries last verified: 2026-06-25. Primary sources are linked on each action's detail page. GovConCyber is not a law firm, MSP/MSSP, C3PAO, RPO, or compliance vendor.