Defense Contractor LOGZONE Settles False Claims Act Allegations Over Cybersecurity Non-Compliance

Alabama-based logistics provider LOGZONE has agreed to pay more than $507,000 to resolve allegations that it misrepresented its compliance with mandatory Department of Defense cybersecurity standards. The settlement follows a Department of Justice investigation which found the company claimed a perfect security score despite failing to implement required controls for protecting sensitive information. This case signals the Pentagon's increasing use of the False Claims Act to enforce cybersecurity mandates as the industry prepares for stricter verification requirements under the CMMC program.

LOGZONE, an Alabama-based logistics services provider, has agreed to pay $507,144—including $253,572 in restitution—to resolve allegations that it misrepresented its compliance with Pentagon cybersecurity requirements. The settlement addresses two contracts awarded by the Navy between 2021 and 2022 for logistics, inventory management, and facility support services at the Naval Oceanographic Command, located at the Stennis Space Center in Mississippi. According to the Department of Justice, the company received more than $682,000 under these contracts through March 2025 while failing to fully implement the security controls mandated by its agreements.

The investigation focused on LOGZONE’s failure to implement NIST Special Publication 800-171, a framework of 110 security controls designed to protect controlled unclassified information (CUI) on non-federal systems. While the company’s contracts required it to report cybersecurity assessment scores via the Supplier Performance Risk System (SPRS), LOGZONE submitted a perfect self-assessment score of 110 in October 2021. However, a 2024 review conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) found the company’s actual score was negative 170, placing it near the bottom of the program’s scoring range and indicating a widespread lack of required protections.

This enforcement action highlights the Department of Defense’s increasing scrutiny of the defense industrial base as it transitions from self-assessment to the Cybersecurity Maturity Model Certification (CMMC) program. While the LOGZONE case is not a direct CMMC violation, the NIST 800-171 controls the company failed to implement are the foundation for CMMC Level 2, which will require third-party verification starting in November 2026. Industry experts and cybersecurity attorneys view this False Claims Act settlement as a preview of how the Pentagon will pursue contractors that inaccurately report their security posture, potentially opening the door for competitors to use such compliance failures as the basis for future bid protests.