Extracted from Law360
Changes in presidential administrations always raise questions about what enforcement trends may follow. In the area of cybersecurity enforcement, the U.S. Department of Justice has provided a clear answer, at least for the near term.
Recent False Claims Act settlements announced by the DOJ suggest that compliance with federal cybersecurity standards for government contractors remains a key enforcement priority for the federal government.
FCA settlements with MORSECORP Inc., announced in March; and with RTX Corp., Raytheon Company, Nightwing Group LLC and Nightwing Intelligence Solutions LLC — the successor owner of Raytheon's cybersecurity business — announced in May, reflect that the DOJ, through its Civil Cyber-Fraud Initiative, continues to use the FCA as a primary mechanism to ensure compliance with federal cybersecurity regimes for government contractors.
Cybersecurity Enforcement Through the Civil Cyber Fraud Initiative
The FCA establishes penalties for any person who "knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval" by the federal government. Any person who violates the FCA may be liable for three times the government's damages, plus significant monetary penalties.
The DOJ's Civil Cyber Fraud Initiative, announced under the Biden administration in 2021, uses the FCA as a key vehicle to combat noncompliance with cybersecurity standards by federal contractors.
FCA lawsuits can either be brought by the government directly or on behalf of the government by whistleblowers, called relators. Cybersecurity FCA cases typically allege that a government contractor knowingly submitted a false attestation of compliance with governing cybersecurity standards when, in fact, the contractor was aware that its cyber compliance was deficient in some material way.
When FCA cases are brought by whistleblowers, the government can elect to intervene and take over the prosecution of the case, and will do so in important cases, as it did in August 2024 in the Georgia Institute of Technology case discussed more below.
New Settlements Signal Continued Enforcement Focus
MORSE Settlement
Earlier this year, on March 26, the DOJ announced that it had reached a $4.6 million settlement agreement with MORSE,[1] a government contractor that provides services to the U.S. Departments of the Army and Air Force, in a qui tam action involving MORSE's cybersecurity program.[2]
As a condition of the settlement, MORSE admitted that during the relevant periods, it did not fully implement all cybersecurity controls in National Institute of Standards and Technology Special Publication 800-171, and that it failed to ensure that its third-party software-as-a-service email hosting provider met Federal Risk and Authorization Management Program moderate baseline requirements required by Defense Federal Acquisition Regulation Supplement 252.204-7012(c)-(g).
MORSE also admitted that it failed to maintain a "consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems," commonly referred to as a system security plan.
Finally, "[o]n January 21, 2021, MORSE submitted [an NIST SP 800-171] summary level basic assessment score of 104 for its implementation of NIST SP 800-171 security controls" to the U.S. Department of Defense's Supplier Performance Risk System.
However, MORSE learned after engaging a third-party vendor to conduct a cybersecurity gap analysis that, as of July 27, 2022, MORSE had only implemented 22% of NIST SP 800‑171 controls, and that its summary score was in fact -142. According to the settlement, MORSE "did not update its score ... until June 14, 2023, when it submitted ... a third-party score of 57, followed by third-party scores of 82 in October 2023 and 110 in May 2024."
Raytheon and Nightwing Settlement
On May 1, the DOJ announced an $8.4 million settlement with defense contractors RTX, Raytheon and Nightwing to resolve allegations of noncompliance with federal cybersecurity requirements across 29 different contracts and subcontracts with the Defense Department between 2015 and 2021.[3]
Though RTX, Raytheon and Nightwing denied all allegations of wrongdoing, the DOJ alleged that:
- Raytheon used a development network referred to as "1.0" for unclassified work that stored covered defense information on the network without implementing required NIST SP 800-171 controls;
- Raytheon did not develop a system security plan — the foundational requirement under NIST SP 800‑171 that details how an organization meets each of the 110 prescribed security controls under the NIST SP 800-171 standard — for the 1.0 network; and
- Despite lacking this system security plan, Raytheon submitted claims for payment pertaining to the 1.0 network.
Notably, neither the MORSE nor the Raytheon and Nightwing settlements appear to have arisen from reported data breaches, which commonly attract regulator scrutiny and can give rise to FCA investigations.
Rather, both were brought by whistleblowers raising concerns with the cybersecurity controls in place outside of any publicly reported security incident or data breach — reflecting a growing trend of cyber whistleblowers bringing qui tam cases involving cyber compliance practices.
Challenging Standards, Evolving Risks, a Burst of Enforcement and a Transition Into New Policy Prerogatives
Cybersecurity standards and obligations for government contractors are burdensome and challenging to meet, even for large and sophisticated entities. Government contractors are often faced with having to determine where one covered defense system begins and the rest of the company's environment ends — all within environments that are constantly changing.
Government contracts are also rarely models of clarity and often conflict with each other, resulting in a misalignment of critical contract terms or definitions. These issues are commonly exacerbated when contractors have legacy contracts that are not amended following regulatory changes, such as incorporation of Federal Acquisition Regulation or Defense Federal Acquisition Regulation Supplement clauses. All of these challenges can put a tremendous strain on defense contractors.
These challenges have been reflected in a growing collection of cyber FCA settlements announced by the DOJ over the past two years. For example, on Feb. 18, the DOJ announced that it had reached an $11.25 million settlement agreement with Centene Corp. and its subsidiary, Health Net Federal Services Inc., based on alleged noncompliance with NIST SP 800-53, which both companies denied.[4]
Other notable examples include Decker v. Pennsylvania State University, a September 2023 qui tam lawsuit against Penn State[5] over its alleged failure to adequately safeguard Defense Department data, which was settled in October 2024 for $1.25 million.[6]
And in August 2024, the DOJ intervened for the first time in a cybersecurity qui tam action against Georgia Tech, alleging that Georgia Tech had submitted false summary scores demonstrating its compliance with the NIST SP 800-171 standard.[7] That case remains ongoing, but recent case activity suggests that a settlement is imminent.[8]
Despite this upward trend of FCA cyber enforcement against government contractors, the broader federal cyber regulatory posture would suggest that the government is moving to a more scaled-back regulatory enforcement approach. This burst of cyber enforcement activity may represent the closing out of several Civil Cyber Fraud Initiative matters and a transition period as the Trump administration implements its policy goals.
Government contractors should continue to monitor cases and developments in this space that will help provide a clearer bellwether for what cybersecurity prerogatives the DOJ and related agencies will continue to prioritize.
Mitigating Cyber FCA Risks: Ounce of Prevention Is Worth Pound of Cure
Luckily, government contractors can take steps to manage and mitigate these risks. Effective management of cyber risks starts with employee and managerial awareness of cyber compliance obligations. This can be achieved through thoughtful and timely employee trainings, particularly when key developments like regulatory changes occur.
Contractors should also prioritize regular reviews and assessments of their programs and policies to ensure that they are designed to meet current and future obligations — for example, phased obligations like Cybersecurity Maturity Model Certification — and that routine testing shows that cyber controls are achieving their intended outcomes.
Additionally, contractors should maintain an effective reporting structure that encourages employees to confidentially report cybersecurity issues without fear of retaliation.
[1] DOJ Office of Public Affairs, "Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations," March 26, 2025, https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud.
[2] United States ex rel Berich v. MORSECORP, Inc., No. 23-cv-10130 (D. Mass. 2025), https://www.justice.gov/d9/2025-03/usa_v._morse_-_settlement_agreement.pdf.
[3] DOJ Office of Public Affairs, "Raytheon Companies and Nightwing Group to Pay $8.4M to Resolve False Claims Act Allegations Relating to Non-Compliance with Cybersecurity Requirements in Federal Contracts," May 1, 2025, https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating.
[4] DOJ Office of Public Affairs, "Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations," Feb. 18, 2025, https://www.justice.gov/opa/pr/health-net-federal-services-llc-and-centene-corporation-agree-pay-over-11-million-resolve?mod=djemCybersecruityPro&tpl=cs.
[5] Alston & Bird Privacy, Cyber & Data Strategy Blog, "Penn State University Hit with False Claims Act Suit for Alleged Cybersecurity Deficiencies," Sept. 25, 2023, https://www.alstonprivacy.com/penn-state-university-hit-with-false-claims-act-suit-for-alleged-cyber-security-deficiencies/.
[6] United States ex rel. Decker v. Pa. State Univ., No. 2:22-cv-03895, (E.D. Pa. 2024), https://www.justice.gov/archives/opa/media/1374276/dl.
[7] Alston & Bird, "Justice Department Intervention in Cyber False Claims Act Case Signals Escalation of Risk for Government Contractors," Sept. 3, 2024, https://www.alston.com/en/insights/publications/2024/09/cyber-false-claims-act-case-signals-escalation.
[8] United States ex rel Craig v. Ga. Tech Rsch. Corp., No. 22-cv-2698, Dkt. 50 (N.D. Ga. May 28, 2025).