The DOJ has settled the sixth cybersecurity False Claims Act case in just eight months, marking fourteen settlements in less than four years since the DOJ launched its Civil Cyber-Fraud Initiative (CCFI). These settlements and the upcoming (and long-awaited) implementation of the CMMC program cement cybersecurity compliance as a DOJ enforcement priority and underscore the agency’s commitment to using the False Claims Act against contractors who fail to meet their cybersecurity obligations.

FCA Enforcement of Cybersecurity Compliance is on the Rise

Prior to the CCFI, there were only two public cybersecurity FCA cases—(1) the Cisco case, which was filed in 2011 and settled in 2019 for $8.6 million, and (2) the Aerojet case, which became public in 2017 and settled for $9 million just after the launch of the CCFI. Since 2023, cybersecurity FCA settlements have steadily trended upwards:

All told, cybersecurity FCA cases have recovered roughly $75 million for the government:

Many of the largest recoveries have come from whistleblower-initiated (aka qui tam) lawsuits—in the Guidehouse/Nan McKay, Illumina Inc., Raytheon, Aerojet, and Cisco cases.

Cybersecurity Enforcement Across Industries: From Healthcare to Defense

The six cybersecurity FCA settlements in 2025 span diverse industries—from healthcare administration and biotechnology to defense contracting and academic research—illustrating that cybersecurity compliance is critical across all sectors doing business with the federal government:

• Health Net Federal Services, a TRICARE healthcare administrator, and its parent company Centene Corporation agreed to pay over $11.25 million for falsely certifying compliance with cybersecurity requirements from 2015-2018, including failures to scan for vulnerabilities and remedy security flaws.
• Defense contractor MORSECORP Inc. agreed to pay $4.6 million after submitting a false SPRS score of 104 to DoD when its actual score was -142, and failing to update it until after receiving a government subpoena.
• Major defense contractors Raytheon Company, RTX Corporation, and Nightwing paid $8.4 million for failing to implement required cybersecurity controls on an internal development system used on 29 DoD contracts between 2015-2021.
• Biotechnology company Illumina Inc. settled for $9.8 million over allegations it sold genomic sequencing systems with cybersecurity vulnerabilities to federal agencies from 2016-2023 without adequate security programs.
• Aerospace maintenance, repair, and overhaul (MRO) service provider Aero Turbine Inc. and private equity firm Gallant Capital Partners paid $1.75 million for cybersecurity violations in an Air Force contract.
• Georgia Tech Research Corporation, an academic research entity, paid $875,000 to resolve allegations of failing to implement NIST SP 800-171 controls and submitting a false cybersecurity assessment score of 98 based on a fictitious "virtual" environment for Air Force and DARPA contracts.

In more than one of these cases, the government alleged the defendant ignored cybersecurity risks flagged by third-party and/or internal auditors.  Unfortunately, this is not uncommon in corporate environments. Whistleblower James Glenn was similarly ignored and then fired for flagging alleged cybersecurity vulnerabilities at Cisco. Another cybersecurity whistleblower, Andrew Harris, tried and failed to get Microsoft to address critical security vulnerabilities in its cloud infrastructure before the SolarWinds hack. These failures to heed internal reporting put us all at risk and expose companies that look the other way to liability under the FCA or securities laws.

We all benefit when companies implement robust whistleblower response systems. These systems should include dedicated reporting channels, cross-disciplinary review teams (to prevent information silos), clear timelines for investigating reported vulnerabilities, and transparent communication with internal reporters. Most critically, companies must prevent retaliation against internal reporters. By treating internal and external security warnings as valuable intelligence rather than unwelcome disruptions, organizations can address vulnerabilities before they escalate into enforcement actions or, more devastatingly, infiltrations that compromise the confidentiality, integrity, and availability of sensitive data.