As Qui Notes readers know, the U.S. Department of Justice (DOJ) announced a civil cyber fraud initiative nearly four years ago, and we have been tracking False Claims Act (FCA) complaints and settlements since then, for example, in our January 2025 and March 2025 posts. Late last month, DOJ announced its most recent cybersecurity FCA settlement with aerospace maintenance provider, Aero Turbine, Inc. (ATI), and Gallant Capital Partners (Gallant), a private equity firm that owned a controlling stake in ATI during the time period covered by the settlement. The companies agreed to pay $1.75 million in total to resolve DOJ's allegations.
This is yet another settlement related to the implementation of the controls identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 requires that a contractor adhere to the cybersecurity standards in NIST SP 800-171 for any unclassified information system that processes, stores, or transmits Covered Defense Information, which in turn refers to unclassified information as described in the Controlled Unclassified Information (CUI) Registry. ATI's contract with the Air Force to repair, maintain, and overhaul turbojet engines incorporated DFARS 252.204-7012 by reference, and the information system it used when performing the contract contained CUI.
DOJ alleged ATI had not fully implemented NIST SP 800-171 for its information system. And, while neither ATI nor Gallant had verified whether the system met the cybersecurity controls required by NIST SP 800-171, ATI instead had assumed that its implementation of export controls to protect technical data was sufficient to meet its cybersecurity obligations under the Management of Items Subject to Repair (MISTR) Contract. DOJ also alleged that ATI engaged a foreign software company to improve the system and that a Gallant employee assisting ATI provided that company's personnel in Egypt with data from ATI's system even though the company and its foreign citizen personnel were not authorized to receive CUI under the MISTR Contract.
Private equity firms have been targeted in FCA investigations and enforcement actions in other contexts (such as healthcare), but to our knowledge, this is the first cybersecurity settlement with a private equity firm. Here, we suspect that Gallant got roped into this settlement because of its alleged role in directly sending CUI from the MISTR Contract to the unauthorized foreign citizen personnel. This settlement provides a warning that, when private equity firms take a more hands-on role with their federal contractor portfolio companies, they too face potential cyber FCA risk if those contractors are not complying with their cybersecurity obligations and/or representations.
Finally, this settlement is also noteworthy in that ATI submitted two written disclosures to the United States regarding its noncompliance with cybersecurity requirements related to the MISTR Contract, cooperated with the United States' investigation, and ultimately received cooperation credit as a result. Specifically, ATI and Gallant cooperated by identifying relevant individuals, disclosing facts gathered during an independent investigation with attribution of the facts to specific sources, and representing that it had implemented mechanisms to address the identified issues and prevent similar issues in the future.
Of course, we will keep tracking and reporting on FCA cybersecurity cases and settlements here at Qui Notes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
