Federal contractors, grant recipients, and the investors behind them now face a cybersecurity enforcement environment that is no longer emerging but firmly established. The Department of Justice’s accelerating use of the False Claims Act to pursue alleged cybersecurity misrepresentations signals a decisive shift for cybersecurity, privacy, compliance, information governance, and eDiscovery professionals. As the government moves beyond breach-centric narratives and focuses instead on the gap between certifications and actual security practices, organizations must treat cyber compliance records, system security plans, assessment scores, and disclosure decisions as potential evidence in future enforcement actions. This analysis highlights why the DOJ’s FY 2025 results matter, how CMMC 2.0 raises the stakes, and why the operational reality of cybersecurity now carries direct legal and financial consequences.

Industry News – Cybersecurity Beat

The DOJ’s Cyber FCA Playbook Is Working as Enforcement Triples and Shows No Signs of Slowing

ComplexDiscovery Staff

A defense contractor scores itself at -142 on a cybersecurity self-assessment, then waits nearly a year — and a federal subpoena — before correcting the record. A genomics company sells sequencing systems riddled with software vulnerabilities to federal agencies for seven years. A university research lab conducting sensitive Air Force and DARPA cyber-defense work runs without antivirus software on its desktops and servers.

These are not hypotheticals. They are the fact patterns behind three of the nine cybersecurity-related False Claims Act settlements the Department of Justice secured in fiscal year 2025 — a haul that totaled more than $52 million across nine settlements, and, according to DOJ statistics and practitioner analysis, represents cyber recoveries that have more than tripled over the past two fiscal years.

The acceleration is unmistakable. Since Deputy Attorney General Lisa Monaco launched the Civil Cyber-Fraud Initiative in October 2021, the DOJ has settled at least fifteen civil cyber-fraud cases under the FCA, according to DOJ statistics and practitioner tallies. Nine of those fifteen — 60 percent — were resolved in FY 2025 alone. And the pace has not slowed: in December 2025, the DOJ announced what analysts identified as the first cyber FCA settlement to reach the subcontractor tier of the defense supply chain, when Swiss Automation Inc., an Illinois-based precision machining supplier, agreed to pay $421,234 for failing to protect technical drawings of parts delivered to DoD prime contractors.

From Niche Initiative to Established Enforcement Track

Deputy Assistant Attorney General Brenna Jenny, the DOJ’s top False Claims Act official, made the trajectory explicit during remarks at the American Conference Institute’s Advanced Forum on False Claims and Qui Tam Enforcement in January 2026. Jenny described the recoveries as reflecting a “significant upward trajectory” and emphasized that the government intends to sustain the pace. She also drew a distinction that federal contractors should internalize: cyber-fraud cases, she said, are “not about data breaches” but are “premised on misrepresentations” — the gap between what an organization tells the government about its cybersecurity posture and what it actually does.

That framing matters. It means the DOJ does not need a breach to bring a case. It needs evidence that a contractor or grantee certified compliance with cybersecurity requirements while knowing — or recklessly disregarding — that the certification was false. The bar for liability sits at the point of the misrepresentation, not at the point of compromise.

The nine FY 2025 settlements illustrate the range of conduct now triggering enforcement. Health Net Federal Services and its parent company Centene Corporation paid $11.2 million to resolve allegations that HNFS falsely certified compliance with cybersecurity requirements in its contract to administer TRICARE, the Defense Health Agency’s benefits program for servicemembers and their families. Between 2015 and 2018, according to the DOJ, HNFS failed to scan for known vulnerabilities, ignored findings from both third-party auditors and its own internal audit department, and fell short on patch management, access controls, and end-of-life system remediation.

Raytheon Company, RTX Corporation, and Nightwing Group LLC paid $8.4 million in April 2025 to resolve allegations that Raytheon used a noncompliant internal system to develop, use, or store covered defense information and federal contract information across 29 DoD contracts and subcontracts. The system allegedly failed to meet NIST SP 800-171 and FAR 52.204-21 security requirements between 2015 and 2021. The Raytheon case also established successor liability: Nightwing, which acquired the relevant business after the misconduct occurred, was included in the settlement.

Illumina Inc. paid $9.8 million — widely viewed as the first FCA settlement focused on a medical device manufacturer’s product-level cybersecurity design. The DOJ alleged that between 2016 and 2023, Illumina sold federal agencies genomic sequencing systems with software vulnerabilities, failed to resource its product security function, and falsely represented that its systems met NIST and ISO standards. A former Illumina director of platform management filed the qui tam complaint that launched the case. The Illumina precedent carries broad implications for any medical device or health technology manufacturer selling products to the VA, DoD health systems, or institutions receiving HHS funding — product cybersecurity is now a compliance obligation that the DOJ is prepared to enforce through the FCA.

Defense contractor MORSECORP Inc. of Cambridge, Massachusetts, paid $4.6 million after admitting to using unsecured third-party email hosting, failing to implement NIST SP 800-171 controls, and lacking consolidated system security plans. A third-party cybersecurity consultant informed MORSECORP in July 2022 that its actual assessment score was -142, and the company did not update its score in the DoD reporting system until June 2023 — three months after receiving a federal subpoena, according to the DOJ.

The Whistleblower Engine

Qui tam relators — insiders who file suit on behalf of the government — have been the engine driving most of these cases. The MORSECORP complaint was filed by Kevin Berich, the company’s head of security and facility security officer. The Illumina case was brought by Erica Lenore, a former director of platform management. The Raytheon suit was filed by Branson Kenneth Fowler Sr., a former director of engineering, who received over $1.5 million as his share of the recovery. Georgia Tech Research Corporation’s $875,000 settlement stemmed from a complaint by two former members of the university’s cybersecurity team, Christopher Craig and Kyle Koza, who received $201,250.

Across all FCA matters in FY 2025, whistleblower-filed lawsuits outnumbered DOJ-initiated cases by a ratio exceeding three to one, and the 1,297 qui tam actions filed that year set a single-year record — surpassing FY 2024’s previous high of 980 and nearly doubling the average annual qui tam filings from FY 2010 through FY 2023, according to the DOJ. In cybersecurity cases specifically, Jenny noted that whistleblowers have continued to play a dominant role. That pattern creates a practical reality for any organization holding federal contracts: the employees closest to cybersecurity compliance gaps are the employees most likely to report them, and federal law gives those employees a financial incentive — typically 15 to 30 percent of any recovery — to do so.

Private Equity Is Now on the Hook

One of the most consequential developments in FY 2025 was the $1.75 million settlement with Aero Turbine Inc. and its private equity owner, Gallant Capital Partners. Between 2018 and 2020, ATI allegedly failed to implement required NIST SP 800-171 controls and, during a two-month period in 2019, shared files containing protected defense information with an external software company based in Egypt, according to the DOJ. A Gallant employee was allegedly directly involved in some of the misconduct.

DOJ and commentators have identified this as the first cyber-related FCA settlement to include a private equity sponsor as a defendant. PE sponsors that acquire companies holding government contracts inherit not just the revenue but the compliance obligations — and the enforcement exposure. ATI and Gallant voluntarily self-disclosed the issues and cooperated with the investigation, receiving cooperation credit in the form of an approximate 1.5x damages multiplier rather than the standard 2x, according to analysis by Arnold & Porter. That reduced multiplier tells sponsors something valuable: self-disclosure and cooperation lower the bill, but they do not eliminate it.

CMMC 2.0 Raises the Compliance Floor — and the FCA Risk

The enforcement surge is colliding with a regulatory expansion that will multiply FCA exposure. The Cybersecurity Maturity Model Certification 2.0 program, finalized through a DFARS procurement rule published September 10, 2025, and effective November 10, 2025, imposes contractual cybersecurity certification requirements on every entity doing business with the Department of Defense that stores, transmits, or processes Federal Contract Information or Controlled Unclassified Information.

Phase 1 implementation began in November 2025, with contracting officers including self‑assessed Level 1 and Level 2 CMMC requirements in select solicitations and contracts. Under DoD’s four‑phase implementation plan, Phase 2, starting in November 2026, will require third‑party assessment organization evaluations for many Level 2 contracts. Phase 3, beginning in November 2027, continues expanding Level 2 certification requirements and introduces Level 3 assessments for the most sensitive CUI contracts, and Phase 4, from November 2028 onward, brings full implementation across all covered contracts.

Each phase creates a new certification that contractors must make — and each certification is a potential False Claims Act predicate if the underlying compliance is deficient. Nine of the fifteen total cyber FCA settlements to date have involved DoD cybersecurity requirements, making CMMC’s expansion of those requirements directly relevant to enforcement trends. Organizations that invest in genuine readiness will be positioned to meet both CMMC audits and the DOJ’s misrepresentation standard. Organizations that treat certification as a paperwork exercise are building the fact patterns for the next round of settlements.

For information governance professionals, the CMMC framework compounds an existing obligation. Accurate classification of Controlled Unclassified Information and Federal Contract Information is the upstream dependency for every downstream cybersecurity control. When an organization misclassifies data — failing to tag CUI where it exists, or failing to map where FCI resides across systems — the required NIST SP 800-171 controls may never be applied. That classification failure can cascade into a cybersecurity compliance failure, which in turn becomes an FCA predicate when the organization certifies compliance it has not achieved. IG program maturity is no longer an internal best practice; it is a front-line defense against enforcement risk.

A New Institutional Architecture for Fraud Enforcement

The Civil Cyber-Fraud Initiative now operates within a broader institutional framework. In January 2026, Vice President JD Vance announced the creation of a new Department of Justice Division for National Fraud Enforcement, charged with enforcing federal criminal and civil fraud laws against schemes targeting government programs. In March 2026, President Trump signed an executive order establishing the Task Force to Eliminate Fraud, chaired by the Vice President and involving representatives from nearly a dozen federal agencies.

While neither the new division nor the task force was created specifically for cybersecurity cases, both broaden the infrastructure available to pursue FCA matters across sectors. Combined with record FCA recoveries of $6.8 billion in FY 2025 — the highest annual total in the statute’s history, surpassing the previous record of $6.2 billion set in 2014 — the message from the executive branch is unambiguous: fraud enforcement against federal contractors is receiving sustained institutional investment, and cybersecurity compliance sits firmly within its scope.

The FCA’s reach also extends well beyond defense contracting. Any entity receiving federal funds — universities holding research grants, healthcare providers billing Medicare or Medicaid, infrastructure contractors funded through federal appropriations — faces potential FCA exposure if it certifies cybersecurity compliance that does not match reality. The Penn State University settlement of $1.25 million in October 2024, which resolved allegations of cybersecurity noncompliance on DoD and NASA contracts, and the Georgia Tech settlement demonstrate that academic and research institutions are firmly within the enforcement perimeter.

What Comes Next

For cybersecurity, information governance, and eDiscovery professionals, the enforcement trend demands concrete action. Organizations holding federal contracts should conduct independent cybersecurity assessments — not relying solely on self-scoring — and reconcile their actual posture against the requirements in their contracts. Compliance teams should ensure that system security plans exist, are current, and reflect reality rather than aspiration. Legal departments should establish protocols for voluntary self-disclosure, recognizing that the Aero Turbine settlement demonstrates both the benefits and the limits of cooperation credit.

The eDiscovery implications are equally direct. Each settlement generates discoverable fact patterns, internal investigation records, and compliance documentation that will inform future enforcement actions. Organizations facing qui tam complaints will need to preserve and produce evidence of their cybersecurity compliance efforts — or lack thereof — creating preservation obligations that cross-cut IT, security, legal, and executive functions. Litigation hold processes should explicitly contemplate cybersecurity assessment records, vulnerability scan results, system security plans, and correspondence with third-party auditors — the very categories of evidence the DOJ has relied on in case after case.

As the record-setting FY 2025 statistics and expanding case mix indicate, the DOJ’s playbook has moved beyond proof of concept. Fifteen settlements, $52 million in a single fiscal year, a tripling of resolution volume, and settlements that for the first time reached a medical device manufacturer, a private equity sponsor, and a defense supply chain subcontractor collectively establish that cyber FCA enforcement is not experimental. It is operational.

The question for organizations in the defense industrial base, healthcare, higher education, and every other sector touching federal contracts is direct: if the DOJ subpoenaed your cybersecurity compliance records tomorrow, would the documentation match the certifications you have already submitted?

News Sources

Assisted by GAI and LLM Technologies

Additional Reading

Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.

The post The DOJ’s Cyber FCA Playbook Is Working as Enforcement Triples and Shows No Signs of Slowing appeared first on ComplexDiscovery.