False Claims Act Enforcement: Record-Breaking Year Signals Continued Attention to Cybersecurity

Last month, the Department of Justice (DOJ) released its statistics for False Claims Act (FCA) enforcement during fiscal year 2025. Settlements and judgments exceeded a record-breaking $6.8 billion, and the DOJ recorded the highest number of whistleblower qui tam lawsuits ever filed, totaling 1,297. These numbers reflect the DOJ’s “commitment to holding bad actors accountable,” with particular emphasis on cases holding government contractors and grantees accountable for knowingly misrepresenting their compliance with applicable cybersecurity requirements.

Cybersecurity Enforcement Gains Momentum

Cybersecurity enforcement gained significant momentum in fiscal year 2025, with the DOJ recovering more than $52 million across nine cybersecurity-related FCA settlements. This represents a substantial increase from years past, with total recoveries in this area more than tripling in each of the past two years. Deputy Assistant Attorney General Brenna Jenny characterized this growth as a “significant upward trajectory” and confirmed that cybersecurity fraud remains a key FCA enforcement priority.

FCA Enforcement Continues Civil Cyber-Fraud Initiative Efforts

The Biden-era Civil Cyber-Fraud Initiative, first announced in October 2021, used the FCA’s treble damages and penalties to pursue entities that knowingly made false claims of compliance with contractual cybersecurity obligations. Although DOJ no longer refers to the Initiative by name, since it was first launched, DOJ has settled fifteen civil cyber-fraud cases, with more than half of those occurring during fiscal year 2025. Last year’s settlements demonstrate the breadth of the Initiative’s enforcement reach, spanning defense contractors, healthcare benefit administrators, medical device manufacturers, universities, and private equity firms.

Key Fiscal Year 2025 Settlements

Military Health Benefits Contractor Cybersecurity Settlement ($11.2 million) – Feb. 2025

In one of the year’s largest cybersecurity settlements, a military health benefits contractor and its parent company agreed to pay $11.2 million to resolve allegations that they falsely certified compliance with cybersecurity requirements under TRICARE contracts for military health benefits. The government alleged that the contractor failed to perform required vulnerability scanning and ignored audit and internal warnings regarding cybersecurity deficiencies. Notably, this was a government-initiated case, not a whistleblower action.

Biotechnology Company Medical Device Settlement ($9.8 million) – July 2025

This was the first FCA cyber settlement involving claims that a medical device manufacturer failed to incorporate adequate product cybersecurity in its software design and development. The settlement resolved allegations that the company falsely certified compliance with cybersecurity standards published by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). Notably, the whistleblower brought suit in the absence of any data breach. The action was predicated on FDA’s relatively recent cybersecurity requirements for medical devices, opening the door to FCA enforcement of those regulations.

Defense Contractor Successor Liability Settlement ($8.4 million) – May 2025

A defense contractor and its acquiring entity entered an $8.4 million settlement to resolve whistleblower allegations that they failed to comply with Department of War (DoW) cybersecurity requirements contained in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and Federal Acquisition Regulation (FAR) 52.204-21, which require contractors to provide “adequate” and “basic” security for covered information systems, respectively, by implementing NIST SP 800-171.

When the acquiring company purchased the original contractor’s cybersecurity and intelligence services business, it became the “successor in liability,” which underscores the need for acquiring entities to conduct due diligence of a target’s potential False Claims Act exposure and to pursue voluntary disclosures under policies that encourage them in exchange for safe harbor.

Defense Contractor Cloud Services Settlement ($4.6 million) – March 2025

A defense contractor agreed to pay $4.6 million to resolve whistleblower allegations that it failed to implement required NIST SP 800-171 controls under Department of War contracts, submitted false Supplier Performance Risk System (SPRS) scores, and used non-compliant cloud services.

Private Equity Firm Cybersecurity Settlement ($1.75 million) – July 2025

This settlement is the first FCA cybersecurity settlement involving a private equity firm. A defense contractor and its private equity owner agreed to pay $1.75 million to resolve allegations arising from their voluntary self-disclosure of cybersecurity violations. According to the settlement, the contractor allegedly failed to comply with NIST SP 800-171 as required by DFARS clause 252.204-7012 and, under direction from a private equity firm employee, improperly provided access to Air Force controlled unclassified information (CUI) to a software company based in Egypt. The settlement acknowledged the companies’ self-disclosure and cooperation, for which they received credit.

University Grant Recipient Settlement ($1.25 million) – Oct. 2024

A major research university agreed to pay $1.25 million to resolve allegations that it failed to comply with cybersecurity requirements for 15 DoW and National Aeronautics and Space Administration (NASA) contracts and subcontracts by failing to implement certain NIST SP 800-171 security requirements and using an external cloud service provider that did not meet FedRAMP security requirements, among other deficiencies. Like other cybersecurity settlements, there were no allegations that a third party ever breached the university’s systems; the alleged noncompliance itself (when flagged by a whistleblower) was sufficient to attract DOJ attention. This case also underscores that recipients of federal grants, not just commercial contractors, face FCA exposure.

Defense Supply Chain Subcontractor Settlement ($421,234) – Dec. 2025

In December 2025, the DOJ announced a settlement with a subcontractor in the defense supply chain, when a precision machining supplier agreed to resolve allegations that it “knowing[ly] fail[ed] to provide adequate cybersecurity, as required by DFARS 252.204-7012, for the technical drawings of certain parts that [the company] supplied to contractors.” The case was initiated by a qui tam action filed by a former quality control manager.

Key Insights from DOJ’s Enforcement Priorities

Deputy Assistant Attorney General Brenna E. Jenny’s remarks at the January 2026 American Conference Institute’s Advanced Forum on False Claims and Qui Tam Enforcement provided insight into the DOJ’s cyber-fraud enforcement philosophy. Jenny emphasized that cyber-fraud cases are “not about data breaches” but are instead “premised on misrepresentations.” The statements highlight that the DOJ is not seeking to punish companies that are victims of sophisticated attacks, which can occur even when entities are completely compliant with all applicable cyber regulations. By that same token, however, FCA liability can arise even in the absence of any harm or damage to the government, merely from false representations of compliance with highly technical standards.

Other lessons to be gleaned from the prior year’s settlements include:

• Increasing attention to defense contractors. Most of the DOJ’s cyber-related FCA settlements focus on defense contractors handling government data. Although self-attestations of compliance with NIST SP 800-171 have long been a part of the Federal Acquisition Regulation, heightened formality (and the need for third-party audits), stemming from recently implemented Cybersecurity Maturity Model Certification (CMMC) requirements, are likely to increase attention to this issue within companies (and, with it, the number of individuals who contemplate whistleblower reports).¹
• Carelessness counts. Although the FCA is limited to false claims that are made “knowingly,” 31 U.S.C. Section 3729(b)(1), the term includes “deliberate ignorance of the truth, or falsity of information” or “reckless disregard of the truth or falsity of information,” not just actual knowledge. Contractors who submit CMMC affirmations without verifying their veracity or that fail to promptly correct inaccurate compliance claims when new information comes to light over the life of the contract are at risk of FCA enforcement and liability.
• Responding to internal concerns and avoiding whistleblower complaints. Jenny’s comments acknowledging whistleblowers’ role in the DOJ’s cyber-fraud enforcement are an important warning to industry. Widespread FCA enforcement relies on whistleblowers to file complaints and rewards them for coming forward with a share of up to thirty percent of any government recovery. Several of the major fiscal year 2025 cybersecurity settlements originated from qui tam complaints filed by former employees with inside knowledge of cybersecurity practices. Companies must take internal employee concerns seriously and manage them appropriately. This includes evaluating and attending to internal reports such that whistleblowers lack the incentive to bring qui tam complaints (and the DOJ lacks the incentive to pursue them).
• Self-disclosure and cooperation credit. Companies should also consider making disclosures to the government, whether mandatory or voluntary, and seek cooperation credit in the settlement of FCA claims pursuant to DOJ policies. A number of cybersecurity FCA settlements acknowledged cooperative measures and reflected credits in the form of reduced penalties.

Looking Ahead to Fiscal Year 2026

The DOJ’s fiscal year 2025 summary announcement confirms that cybersecurity standards will remain a basis for FCA enforcement. In January 2026, President Donald Trump established a new Department of Justice Division for National Fraud Enforcement to “enforce the Federal criminal and civil laws against fraud targeting Federal government programs, Federally funded benefits, businesses, nonprofits, and private citizens nationwide.” The combination of record-breaking recoveries, heightened regulatory requirements, and sustained whistleblower activity suggests robust continued enforcement in fiscal year 2026 and beyond.

Entities receiving federal funds and making cybersecurity commitments in connection with those funds, such as healthcare companies, defense contractors, and research institutions, should expect continued scrutiny of cybersecurity compliance. Investment in control frameworks aligned to certification of compliance, combined with preparedness to encourage and respond to internal compliance reports, to remediate, and to make appropriate voluntary disclosures, will be essential to managing FCA enforcement risk.

¹ FAR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting has since 2015 required “the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.”