The U.S. Department of Defense (DOD) obligates about half a trillion dollars a year to private contractors for everything from high-end weapons and data systems to basic goods and services like fuel, shipping, food, and medical care. That scale brings scrutiny from DOD's contracting officers, auditors, and investigators, as well as from whistleblowers at contractors and subcontractors, who are incentivized by hefty qui tam bounties to identify performance failures (real or perceived). These are issues that often should be handled through negotiations or as contract disputes. Many times, however, these seemingly simple contract claims are relabeled as "fraud" and transformed into high-stakes False Claims Act (FCA) cases.
So far, at least, the second Trump administration has maintained this fraud-oriented approach to federal procurement with enforcement efforts against defense contractors that have focused on cybersecurity compliance and pricing. Just this year, there have been at least four multimillion-dollar settlements with defense contractors arising from alleged cybersecurity compliance issues, as well as large settlements and a criminal conviction tied to pricing issues.
Cybersecurity enforcement in practice
The Department of Justice (DOJ) has been threatening potential FCA liability for cybersecurity compliance failures since at least the Biden administration, but the cases and settlements have been few and far between. Now, however, efforts to enforce cybersecurity rules through FCA liability, with its significant financial consequences, have picked up momentum, including in a series of settlements just this year.
The DOJ declared its intent to use the FCA for cybersecurity compliance in October 2021, when DOJ launched its Civil Cyber-Fraud Initiative. In that initiative, DOJ lawyers were directed to use the FCA to pursue cybersecurity compliance failures by government contractors and grant recipients as fraud.1 The DOJ contemplated using the FCA to penalize contractors that deployed deficient cybersecurity services, misrepresented security controls, or failed to report breaches as required under federal contracts and incorporated regulations. Even before this year, the DOJ has announced several settlements under this initiative.2
DOD's Office of Inspector General (OIG) has also been attuned to cybersecurity compliance. In January 2025, DOD OIG issued an audit criticizing DOD's process for approving third-party vendors that perform Cybersecurity Maturity Model Certification (CMMC) assessments.3 The purpose of these CMMC assessments is to promote basic cyber hygiene to maintain security for Controlled Unclassified Information and Federal Contract Information. The audit found that DOD "did not fully implement required internal controls" over the CMMC certifier program, raising concerns about the qualification of the certifying bodies and whether noncompliant contractors had been certified.
With these precursors, it is perhaps no surprise that the defense sector has seen a number of FCA settlements this year related to cybersecurity.
First, in February, the DOJ announced an $11.25 million settlement with Health Net Federal Services LLC, which is a managed care provider for the military health plan TRICARE, and its parent company, Centene.4 Health Net had agreed in its contract to provide IT services "as needed to accomplish the stated functional and operational requirements" of the program, and to adhere to privacy and cybersecurity regulations. It also submitted annual reports certifying its compliance with certain cybersecurity controls. The DOJ alleged, among other things, that Health Net failed to perform timely scans for known vulnerabilities in its systems and ignored reports from security auditors about several compliance failures, including utilizing improper access controls, incorrect software configurations, software and hardware at its end of life, poor patch management practices, and problematic password policies. The government took the position that these violations rendered the claims for payment false, "regardless of whether there was any exfiltration or loss of servicemember data or protected health information."5
Then, in March, MorseCorp Inc., a software developer with contracts to build AI tools for DOD, agreed to pay $4.6 million to settle allegations that it failed to comply with cybersecurity obligations in its defense contracts.6 The settlement arose from a qui tam complaint filed by Morse's head of security, who alleged that the company failed to satisfy Defense Federal Acquisition Regulation Supplement (DFARS) provisions requiring all DOD contractors to provide adequate security on all covered contractor information systems, and to satisfy the Federal Risk and Authorization Management Program (FedRAMP) baseline for security requirements. According to the whistleblower, from 2018 to 2022, the company used noncompliant third-party email hosting, lacked a consolidated written security plan, failed to implement required controls, and did not timely update its Supplier Performance Risk System after a third-party assessment lowered its score.7
And in May, Raytheon Companies and Nightwing Group settled with the DOJ for $8.4 million to resolve allegations that they failed to implement required cybersecurity protections on an internal development system used in unclassified work under DOD contracts.8 That settlement resulted from a qui tam action filed by a former Raytheon director of engineering, which alleged that Raytheon used its noncompliant internal system to develop and store covered defense information and federal contract data for 29 contracts. And that whistleblower received $1.5 million of the settlement funds.
Finally, just last week, defense contractor Aero Turbine Inc. and its former private equity investor Gallant Capital Partners LLC agreed to pay $1.75 million to resolve FCA claims arising from cybersecurity compliance issues.9 According to the settlement agreement, Aero Turbine failed to implement cybersecurity controls over the access to technical data, assuming incorrectly that its export controls procedures were sufficient to prevent exfiltration of defense information. As a result, when Aero Turbine and Gallant engaged an Egyptian vendor to work on internal software containing defense information, that vendor received unauthorized access to the defense information. Aero Turbine and Gallant received cooperation credit from DOJ for self-disclosing these issues and cooperating in the investigation, and only paid 1.5x the government's alleged injury, less than the typical 2x multiple settling defendants typically pay.
These cases make clear that the DOJ – armed with information supplied by knowledgeable whistleblowers up to and including the very people responsible for cybersecurity – is willing to aggressively pursue technical failures in cybersecurity, even if there is no evidence of a breach. They also show that even common practices, like relying on third-party cloud service providers, are risky if contractors fail to exercise best practices in ensuring their vendors' compliance with federal standards. Traditional large defense contractors and defense-tech startups alike face real exposure.
Pricing under the microscope
Alongside its cybersecurity push, the DOJ has turned up the heat on enforcing rules on pricing and cost data. The Truthful Cost or Pricing Data statute (formerly the Truth in Negotiations Act or TINA) requires contractors to submit accurate, complete, and current cost or pricing data when negotiating certain federal contracts.10 Congress enacted TINA in 1962 to level the playing field in sole-source contracts by ensuring that government negotiators have access to the data that contractors used to develop their proposals. Violations of these requirements can form the basis for costly FCA liability.
For example, in May, L3 Technologies Inc. agreed to pay $62 million to resolve allegations that one of its divisions, Communications System West, failed to disclose current, accurate, and complete pricing of labor and materials used for communications systems in military operations.11 The DOJ alleged that L3 falsely certified compliance with TINA while negotiating contracts with the Air Force, Army, and Navy for eight items, including enhanced receivers and surveillance kits. And there have been other similar settlements related to TINA violations this year.
Pricing-data issues can also intersect with bid-rigging allegations. In July, construction company Berg Companies Inc. agreed to pay $3.3 million to resolve FCA allegations stemming from a qui tam complaint filed by a sales representative and managing director. Allegedly, Berg coordinated with Noble Supply & Logistics to inflate quotes and distort competitive pricing for prime vendor contracts with the Defense Logistics Agency. As part of the settlement, Berg admitted the bid-rigging scheme manipulated costs on 39 wall shelters, undermining the integrity of the procurement process.12
And the DOJ isn't just pursuing civil penalties. It's also seeking prison time for contractors who compromise the procurement process. Earlier this year, four contractors pleaded guilty to bid-rigging, fraud, and bribery schemes tied to IT sales to DOD—schemes that allegedly exploited confidential procurement data and caused the government to suffer losses of approximately $1.3 million.13 Each contractor faces up to 20 years in prison.
While the DOJ has often pursued pricing fraud through civil FCA actions, these prosecutions may signal a more aggressive posture. That escalation became explicit in May 2025, when DOJ's Criminal Division formally announced that its Money Laundering and Asset Recovery Section and Fraud Section will make procurement and federal program fraud enforcement priorities.14 By calling out procurement and federal program fraud for priority enforcement, the DOJ has made clear that procurement failures will not necessarily be treated just as civil matters.
Footnotes
1 U.S. Dep't of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
2 See, e.g., U.S. Dep't of Justice, Medical Services Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan (Mar. 8, 2022), https://www.justice.gov/archives/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical; U.S. Dep't of Justice, Cooperating Federal Contractor Resolves Liability for Alleged False Claims Caused by Failure to Fully Implement Cybersecurity Controls (Sept. 5, 2023), https://www.justice.gov/archives/opa/pr/cooperating-federal-contractor-resolves-liability-alleged-false-claims-caused-failure-fully; U.S. Dep't of Justice, United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations (Aug. 22, 2024), https://www.justice.gov/archives/opa/pr/united-states-files-suit-against-georgia-institute-technology-and-georgia-tech-research; U.S. Dep't of Justice, Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract (June 17, 2024), https://www.justice.gov/archives/opa/pr/consulting-companies-pay-113m-failing-comply-cybersecurity-requirements-federally-funded.
3 U.S. Dep't of Defense Office of Inspector General, Audit of the DOD's Process for Authorizing Third Party Organizations to Perform Cybersecurity Maturity Model Certification 2.0 Assessments, Report No. DODIG-2025-056 (Jan. 14, 2025), https://www.DODig.mil/In-the-Spotlight/Article/4028197/press-release-audit-of-the-DODs-process-for-authorizing-third-party-organizatio/.
4 Settlement Agreement (Feb. 5, 2025), https://www.justice.gov/usao-edca/media/1389341/dl.
5 Id. at 3.
6 U.S. Dep't of Justice, Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations (Mar. 26, 2025), https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud.
7 Settlement Agreement (Mar. 14, 2025), https://www.justice.gov/usao-ma/media/1394436/dl?inline.
8 U.S. Dep't of Justice, Raytheon Companies and Nightwing Group to Pay $8.4M to Resolve False Claims Act Allegations Relating to Non-Compliance with Cybersecurity Requirements in Federal Contracts (May 1, 2025), https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating.
9 U.S. Dep't of Justice, California Defense Contractor and Private Equity Firm Agree to Pay $1.75M to Resolve False Claims Act Liability Relating to Voluntary Self-Disclosure of Cybersecurity Violations (July 31, 2025), https://www.justice.gov/opa/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false-claims; Settlement Agreement (July 31, 2025), https://www.justice.gov/opa/media/1409651/dl.
10 https://uscode.house.gov/view.xhtml?path=/prelim@title41/subtitle1/divisionC/chapter35&edition=prelim.
11 U.S. Dep't of Justice, L3 Technologies Inc. Agrees to Pay $62,000,000 to Resolve False Claims Act Allegations arising from Submission of False Cost or Pricing Data on Defense Contracts (May 22, 2025), https://www.justice.gov/opa/pr/l3-technologies-inc-agrees-pay-62000000-resolve-false-claims-act-allegations-arising.
12 U.S. Dep't of Justice, Defense Contractor Berg Co. Agrees to Pay $3.3M to Resolve Allegations of Causing Fraudulent Bids (July 14, 2025), https://www.justice.gov/opa/pr/defense-contractor-berg-co-agrees-pay-33m-resolve-allegations-causing-fraudulent-bids.
13 U.S. Dep't of Justice, Four Defendants Plead Guilty in Ongoing Bid-Rigging, Fraud and Bribery Investigation Related to U.S. Government IT Purchases (Jan. 14, 2025), https://www.justice.gov/archives/opa/pr/four-defendants-plead-guilty-ongoing-bid-rigging-fraud-and-bribery-investigation-related-us.
14 U.S. Dep't of Justice, Head of the Criminal Division, Matthew R. Galeotti Delivers Remarks at SIFMA's Anti-Money Laundering and Financial Crimes Conference (May 12, 2025), https://www.justice.gov/opa/speech/head-criminal-division-matthew-r-galeotti-delivers-remarks-sifmas-anti-money-laundering.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
