The High Stakes of Cybersecurity False Claims: What DoD Contractors Must Know

The cost of cybersecurity noncompliance

As the Department of Defense (DoD) continues its focus on securing the defense industrial base, cybersecurity compliance has not only left contractors scrambling to get compliant before CMMC regulations are included in their contracts, but it also has them on edge because of the wave of recent multimillion dollar False Claims Act (FCA) settlements with the Department of Justice (DoJ).

What many contractors don’t realize is that whistleblowers can be financially rewarded for reporting cybersecurity noncompliance, turning missteps that are only internally known into personal paydays.

Recent settlements: Warning signs for the industry

In the last six months, the DoJ has publicized several significant settlements it has reached with DoD contractors that violated cybersecurity regulations, to include:

• Pennsylvania State University. In October 2024, the university agreed to pay $1.25 million to settle allegations that it failed to comply with cybersecurity requirements in 15 contracts or subcontracts involving the DoD or NASA. The case was initiated through a whistleblower.
• Health Net Federal Services (HNFS). In February 2025, the company agreed to pay $11.25 million to settle allegations that it falsely certified compliance with federal contractor cybersecurity requirements.
• MORSE Corp. In March 2025, the company agreed to pay $4.6 million to settle allegations that it failed to comply with cybersecurity requirements in its contracts with the Departments of the Army and Air Force. The case was initiated through a whistleblower.
• Raytheon Company, RTX Corporation, and Nightwing Group. In May 2025, the companies agreed to pay $8.3 million to settle allegations that Raytheon failed to comply with contractually mandated cybersecurity standards. The case was initiated through a whistleblower.

Why the increase in false claims act settlements related to cybersecurity

The False Claims Act holds individuals and companies liable for defrauding governmental programs. Since the Department of Justice launched its Civil Cyber-Fraud Initiative in 2021, the FCA has become a potent tool for pursuing contractors that:

• Misrepresent their cybersecurity posture;
• Falsely certify compliance with DFARS/CMMC requirements; or
• Fail to report breaches and security control failures.

How DoJ is pursuing cybersecurity FCA cases

The DoJ’s Civil Cyber-Fraud Initiative focuses on the intersection of cybersecurity compliance and procurement fraud. Enforcement is being driven by:

• Whistleblower (Qui Tam) Lawsuits. As you can see from the above settlements, many cases begin with insiders — such as former CISOs or other IT management — who report misrepresentations via FCA whistleblower provisions. In addition to protecting themselves, whistleblowers can receive 15–30% of the recovered funds, which can make it attractive.
• Increased Oversight of DFARS Compliance. The DoJ is now routinely investigating whether companies are complying with DFARS 252.204-7012 and the CMMC model — and whether any statements about compliance were false certifications. A company that has posted a perfect score in SPRS system for several years and then significantly revised its score could be a red flag that the DoJ could use to identify FCA violations.

Best practices for DoD contractors

To avoid costly fines/penalties, reputational damage, or loss of contracts, DoD contractors should:

• Ensure scores in the SPRS system accurately reflect the Company’s current cybersecurity practices.
• If your IT team is indicating that cybersecurity practices are not meeting NIST 800-171 requirements, take actions to update SPRS scores, create POA&Ms, and begin remediation efforts to resolve gaps.
• If you have performed the company’s self-assessment internally without any outside assistance, you should consider having an independent party (e.g., RPO or C3PAO) perform a gap assessment to confirm the company meets the NIST SP 800-171 cybersecurity requirements. In fact, in a recent webinar with three C3PAOs that are performing CMMC assessments, they indicated that contractors who performed their NIST 800-171 assessment internally were far more likely to fail a CMMC assessment. Unless you have gone through the trainings required to become a Registered Practitioner (RP), Registered Practitioner Advanced (RPA), CMMC Certified Professional (CCP), and CMMC Certified Assessor (CCA), it is difficult to understand what will be required to meet each of the required 110 cybersecurity practices during a CMMC assessment.

Conclusion: Cybersecurity missteps can cost millions

False Claims Act fines/penalties related to cybersecurity are on the rise. The DoJ has made it clear: If you certify compliance with cybersecurity requirements and fail to uphold them, you may be held accountable — financially and legally.

With whistleblower provisions incentivizing insiders to come forward and DoJ actively pursuing violations, defense contractor executives need to be vigilant and ensure that their cybersecurity statements are accurate and can be supported under the scrutiny of a cybersecurity assessment.

Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

If you want to work with consultants with knowledge of NIST, CMMC framework, and hold Registered Practitioner (RP) status, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Access all of our CMMC resources and insights.