Alabama Defense Contractor to Pay $507,144 to Resolve False Claims Act Cybersecurity Allegations

On June 18, 2026, the U.S. Department of Justice announced that LOGZONE Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144 to resolve allegations under the False Claims Act (FCA) that it knowingly failed to comply with cybersecurity requirements in two contracts with the Department of the Navy. The resolution is the latest in a string of cyber-fraud enforcement actions targeting federal contractors that certify compliance with cybersecurity controls they have not, in fact, implemented.

Background

The settlement resolves allegations that, from May 2021 to March 2025, LOGZONE submitted false or fraudulent claims for payment on two Navy contracts for which it had not satisfied the contracts’ cybersecurity requirements. According to DOJ, LOGZONE allegedly failed to implement certain security controls in NIST Special Publication 800-171 that, if left unimplemented, could lead to significant exploitation of the system or exfiltration of sensitive defense information.

The deficiencies surfaced when the Defense Contract Management Agency (DCMA) assessed LOGZONE’s implementation of the NIST SP 800-171 controls. LOGZONE received a score of -170, near the low end of the possible range of -203 to 110—a result the government treated as evidence that the contractor was far from the compliance posture its contracts required. The settlement agreement resolves the matter; the claims are allegations only, and there has been no determination of liability.

A Coordinated, Cross-Agency Enforcement Effort

The resolution was the product of coordination among the Justice Department’s Civil Division (Commercial Litigation Branch, Fraud Section) and the U.S. Attorney’s Office for the Northern District of Alabama, with assistance from the Department of the Navy Office of the General Counsel, NCIS, the Department of the Army Criminal Investigation Division, and DCMA’s Defense Industrial Base Cybersecurity Assessment Center. DOJ framed the action against the backdrop of the Administration’s newly launched Task Force to Eliminate Fraud and National Fraud Enforcement Division, signaling that cyber-fraud matters will remain a front-line FCA priority. As we have previously discussed, this enforcement theory traces to DOJ’s Civil Cyber-Fraud Initiative, which from the outset signaled a new approach to contractor and grantee cybersecurity enforcement.

Why it Matters

The LOGZONE settlement reinforces a now-familiar message: a contractor’s representations about its NIST SP 800-171 posture can give rise to FCA exposure. A low DCMA assessment score is not merely a compliance gap—it can become documentary evidence that claims for payment were knowingly false. Cybersecurity enforcement has been a sustained focus of FCA recoveries, as we examined in our review of a record-breaking enforcement year and our False Claims Act FY 2025 Year in Review.

Takeaways

• Treat self-assessment scores as legal records. DCMA and Supplier Performance Risk System scores reflect compliance representations the government can later test in an FCA action. Contractors should ensure scores are accurate, current, and supported by documented controls.
• Close the gap between certification and implementation. The alleged conduct spanned nearly four years. Periodic gap assessments against NIST SP 800-171—and prompt remediation or disclosure of deficiencies—reduce the risk that a stale or aspirational score becomes the basis for liability.
• Watch the evolving contractual baseline. Cybersecurity obligations for federal contractors continue to shift, from proposed FAR cybersecurity standardization to the recent recalibration of federal software-security requirements. Mapping each contract’s specific clauses remains essential.
• Mind the whistleblower channel. Cyber-fraud matters are frequently driven by insiders. Strong internal reporting, escalation, and remediation processes help surface issues before they become qui tam complaints.

Mayer Brown will continue to monitor cyber-related FCA enforcement and its implications for government contractors. Defense and civilian-agency contractors should revisit their cybersecurity compliance certifications now, before they are tested in an investigation.