backKey Takeaways for Federal Contractors
The Department of Justice (DOJ) recently announced an $11.3 million settlement of False Claims Act allegations against a Department of Defense (DOD) contractor administering its TRICARE health insurance program that allegedly falsely certified compliance with DOD cybersecurity contract requirements between 2015 and 2018. The settlement underscores the government’s continued focus on using the False Claims Act (FCA) to enforce cybersecurity-related requirements against companies that contract with the federal government.
Ongoing FCA Cyber Enforcement
DOJ’s press release announcing the settlement does not refer to DOJ’s Civil Cyber Fraud Initiative, but it emphasizes DOJ’s “ongoing efforts” to enforce FCA liability in cybersecurity cases. This suggests that DOJ is committed to using the FCA as a powerful tool to enforce cybersecurity standards and hold government contractors responsible for failures to live up to federal cybersecurity standards.
The press release includes a pointed statement from Brett Shumate, who is currently the acting head of DOJ’s Civil Division and has been nominated for the permanent role, emphasizing that “the Justice Department will continue to pursue federal contractors that place [government] data at risk by failing to meet material cybersecurity requirements in their contracts.”
Even if DOJ’s enforcement priorities shifted in the coming months, a single employee with knowledge of where an IT system for a government contractor falls short of federal cybersecurity standards may file a lawsuit under the FCA’s qui tam provision. These qui tam suits can go forward with or without DOJ involvement in the case. This empowers private whistleblowers to file lawsuits alleging fraud against the government, with these private actors eligible to reap as much as 30 percent of the total amount recovered.
AFCA May Further Increase Scrutiny of Cybersecurity Lapses
The recently passed Administrative False Claims Act (AFCA) may also prove to be a potent weapon for the government in enforcing contractual cybersecurity obligations. Passed in December 2024, the AFCA updates the existing law that permit federal agencies to pursue claims against government contractors on their own, without a FCA lawsuit. The AFCA increases the cap on damages from $150,000 to $1,000,000, streamlines the enforcement procedures, and allows agencies to recoup the costs of investigating and prosecuting AFCA matters.
These changes give agencies, including DOD, added incentive and additional tools to pursue smaller cybersecurity lapses that may not meet DOJ thresholds for FCA suits or attract attention from whistleblowers. Importantly, AFCA investigations also involve investigatory subpoenas and retain the ability to refer matters to DOJ for criminal and civil investigation if additional evidence is discovered during the investigation.
Role of DOD Authorities in Cyber-Focused FCA Investigations
This case also highlights the involvement of two components of the Department of Defense:
- Defense Criminal Investigative Service (DCIS). While DCIS has a smaller cyber investigative team than large law enforcement agencies like the FBI or components of the Department of Homeland Security, it is highly skilled and has worked closely with those law enforcement entities in recent high-profile cyber initiatives.
- The Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DIBCAC assesses DOD contractor’s cyber risk mitigation efforts and their compliance with the applicable cybersecurity standards.
Combining DIBCAC’s auditing infrastructure with DCIS’s cyber expertise could result in heightened scrutiny for DOD contractors.
DOD’s Cybersecurity Maturity Model Certification (CMMC) Program will be phased in throughout 2025, implementing cybersecurity rules in all DOD contracts through changes to the Defense Federal Acquisition Regulation Supplement (DFARS). The changes include third-party verification and additional cybersecurity assessment requirements to be added as an express condition of contracts with DOD.
The combination of additional regulations plus heightened scrutiny from expert DOD oversight entities, means that DOD contractors should carefully prepare for cybersecurity enforcement changes in the coming months.
The Long Tail of Compliance Failures
This settlement is another reminder that cybersecurity noncompliance can have a long tail. The alleged false certifications in this case occurred between 2015 and 2018, yet enforcement action is only now resulting in financial penalties. The gap between the underlying conduct and the finalized settlement underscores the extended risk horizon for federal contractors, reinforcing the need for ongoing compliance monitoring and proactive remediation of past cybersecurity lapses.
Risks of Inheriting Cybersecurity Liability
The contractor in this case was acquired in March 2016. The alleged false certifications with cybersecurity requirements1Alleged failures in this case, which were denied by contractor and contractor’s parent company, included a failure to timely scan for and remediate known vulnerabilities on contractor’s network and systems; ignoring reports of numerous cybersecurity risks raised by third party auditors and contractor’s internal audit department. The settlement agreement did not contain an admission of fault by either contractor or contractors’ parent company. were made annually, from November 2015 to November 2017. This highlights the need to assess cybersecurity risks in pre-acquisition diligence and conduct post-acquisition remediation, particularly where the acquisition target has government contracts.
Debarment Still in Play?
The settlement does not prevent the federal government from pursuing suspension and debarment of the contractor, which, depending on how reliant an entity is on government contract revenue, can cause lasting damage to a contractors’ future business.
What This Means for Your Organization
This settlement is the latest in a growing trend of cybersecurity-related FCA enforcement and part of a continued focus on cybersecurity compliance that will only grow as the government begins to utilize the new AFCA. Companies that have contracts with the federal government should consider proactive steps to assess and mitigate risk under privilege.
