Cybersecurity Noncompliance Triggers False Claims Act Settlement for Defense Contractor

The National Law Review· July 11, 2026

The U.S. Department of Justice has reached a settlement exceeding $500,000 with a defense contractor to resolve allegations of cybersecurity noncompliance under the False Claims Act. The contractor allegedly failed to implement mandatory security controls for protecting Controlled Unclassified Information while continuing to bill the Department of the Navy over a four-year period. This enforcement action highlights the government's increasing use of fraud statutes to penalize defense firms that misrepresent their adherence to mandatory cybersecurity frameworks.

The settlement addresses allegations that a defense contractor knowingly failed to meet cybersecurity requirements incorporated into its contracts with the Department of the Navy. According to the DOJ, the firm did not fully implement security controls specified in NIST Special Publication 800-171, which governs the protection of Controlled Unclassified Information (CUI) on nonfederal systems. These alleged compliance failures persisted for nearly four years, during which the contractor continued to perform on contracts and submit invoices for payment despite lacking the required safeguards. A Defense Contract Management Agency (DCMA) assessment revealed a score of negative 170 for the contractor, a significant deficiency given the scoring range of negative 203 to positive 110. The government contended that these unimplemented controls created material vulnerabilities that could have allowed for the unauthorized exfiltration of sensitive defense data.

This case illustrates a strategic shift by the DOJ to frame cybersecurity deficiencies as fraudulent conduct under the False Claims Act (FCA) rather than simple contract administration issues. Historically, such failures might have resulted in cure notices, negative performance evaluations, or potential debarment, but the government now argues that submitting invoices while certifying compliance with mandatory clauses—such as DFARS 252.204-7012—constitutes a false claim if those requirements are not met. The legal theory posits that if a contractor represents compliance to the government and submits claims for payment despite known deficiencies, those invoices become the basis for FCA liability. Assistant Attorney General Brett Shumate emphasized that contractors entrusted with sensitive information must strictly follow these rules, signaling that the DOJ’s enforcement in this area remains a major priority.

For the broader defense industrial base, this enforcement action serves as a warning that cybersecurity is a legal and contractual certification issue rather than just a technical IT task. The federal government is increasingly coordinating with the Naval Criminal Investigative Service (NCIS), the DCMA, and specialized Department of Defense assessment teams to identify compliance gaps. This activity coincides with the creation of the Task Force to Eliminate Fraud and a new National Fraud Enforcement Division designed to strengthen oversight of federal programs. Contractors are advised to immediately reassess their System Security Plans (SSPs) and ensure that their internal certifications and Plans of Action and Milestones (POAMs) accurately reflect their actual security posture. Proactively evaluating compliance is now essential, as the DOJ continues to signal that cybersecurity-related FCA enforcement is a significant risk area for companies in the federal marketplace.

Read the full story at The National Law Review

Summary generated by RabbitReport AI from public reporting. The full article and original reporting belong to The National Law Review.