The DOJ is Watching: What This Means for DoD Contractors
The Department of Justice sends a clear message to defense contractors: cybersecurity compliance is not optional, and the consequences of falling short are more serious than ever. With multiple companies already facing millions of dollars in fines under the False Claims Act (FCA), the government is showing no hesitation in holding organizations accountable for misrepresenting or neglecting their cybersecurity obligations.
For Department of Defense (DoD) contractors and subcontractors, this shift isn’t just a legal development. It’s a wake-up call. The DOJ’s Civil Cyber-Fraud Initiative is actively investigating contractors who falsely certify their compliance with cybersecurity requirements. These cases aren’t about data breaches alone. They often involve overlooked basics like incomplete System Security Plans (SSPs), inaccurate NIST 800-171 self-assessments, or failure to follow DFARS and CMMC guidelines.
At MAD Security, we’ve seen firsthand how even well-meaning contractors can find themselves in the DOJ’s crosshairs. This article breaks down what FCA cybersecurity enforcement means, the risks DoD contractors need to be aware of, and what steps your organization should take to stay ahead of enforcement trends while protecting your federal contracts.
What is the False Claims Act and Why is it Now a Cybersecurity Enforcement Tool?
.png?width=250&height=141&name=MAD%20SEC%20FT%20IMAGE%20-%20FCA%20Enforcement%20What%20Every%20DoD%20Contractor%20Needs%20to%20Know%20(1).png)
The False Claims Act is a federal law that was created to fight financial fraud against the government. For years, it has been used to recover billions in cases involving healthcare billing fraud, overcharging in government contracts, and misused federal funds. But now, it has a new focus, cybersecurity non-compliance.
Thanks to the Department of Justice’s Civil Cyber-Fraud Initiative, launched in late 2021, the FCA is being applied to a new category of fraud: contractors who falsely claim they are meeting required cybersecurity standards. This shift has major implications for DoD contractors, especially those working under contracts that include DFARS 252.204-7012 or Federal Acquisition Regulation (FAR) 52.204-21 clauses.
When a company submits an invoice or progress report to the government, it is also certifying that it is following the rules outlined in the contract. That includes maintaining adequate cybersecurity protections, especially if the company handles Controlled Unclassified Information (CUI) or other sensitive federal data. If a contractor knows they are not compliant, but bills the government anyway, the DOJ can treat that as a false claim under the law.
.png?width=250&height=141&name=MAD%20SEC%20FT%20IMAGE%20-%20FCA%20Enforcement%20What%20Every%20DoD%20Contractor%20Needs%20to%20Know%20(2).png)
Cybersecurity isn’t just a technical requirement. It is a legal obligation that can result in steep penalties, reputational damage, and lost business if neglected. For government contractors, understanding this enforcement shift is essential for staying in compliance and out of court.
FCA Cybersecurity Crackdowns: What They Are Teaching Us
The Department of Justice has significantly ramped up enforcement against government contractors who fail to meet cybersecurity requirements. The cases from 2024 into 2025 are not just cautionary tales. They are real-world examples showing that False Claims Act cybersecurity enforcement is no longer theoretical. It is happening now, and it is hitting companies across industries, from defense contractors to universities to healthcare providers.
Let’s take a closer look at a few of the most impactful cases:
Raytheon / RTX and Nightwing – $8.4 Million Settlement
Raytheon, one of the most recognized defense contractors, settled FCA allegations over failing to implement required cybersecurity controls on systems used in at least 29 Department of Defense contracts. The company had no System Security Plan (SSP) in place for a key internal network, and the DOJ saw this as a material failure under DFARS 252.204-7012. The result? A multi-million dollar payout and national headlines. This case alone highlights how even internal systems, if connected to federal work, must be compliant.
MORSECORP – $4.6 Million Settlement
MORSECORP reported an impressive cybersecurity score of 104 out of 110 in the Supplier Performance Risk System (SPRS). But a third-party audit later revealed their real score was closer to minus 142. That massive gap, plus the use of a non-FedRAMP email provider and delayed reporting, led to a substantial FCA settlement. The company also admitted to a long list of specific compliance failures.
Health Net (Centene) – $11.25 Million Settlement
This case shows that cybersecurity failures without a breach can still carry serious consequences. Health Net repeatedly certified that it was compliant with DoD TRICARE cybersecurity standards, even though internal and external audits had flagged serious risks. Ignoring these warnings and continuing to certify compliance was enough to trigger DOJ enforcement under the FCA.
The Top Cybersecurity Compliance Failures That Trigger FCA Investigations
-
Missing or Incomplete System Security Plans (SSPs)
Every contractor handling Controlled Unclassified Information is required under DFARS 252.204-7012 to maintain a System Security Plan. Yet, multiple companies, including Raytheon and MORSECORP, were penalized for operating without one or for having an outdated, incomplete version. An SSP is not optional. It’s the foundation of your cybersecurity posture.
-
Misleading or Inflated SPRS Scores
The SPRS score is used by the Department of Defense to evaluate contractor cybersecurity maturity. Submitting inflated or inaccurate scores, especially if you know they don’t reflect reality, is considered a false certification. This was a key issue in the MORSECORP and Georgia Tech cases, where claimed scores were far from the truth. -
Use of Non-Compliant Cloud or Email Providers
Third-party platforms that don’t meet FedRAMP Moderate or other contractual standards can put your compliance at risk. If you're storing sensitive government data on unapproved platforms or tools, you could face liability, even if no data is lost. -
Ignoring Internal or External Audit Findings
Many FCA actions are based not on new discoveries but on evidence that the organization already knew about weaknesses and failed to act. That kind of willful neglect, which the DOJ calls “reckless disregard,” is a fast track to legal trouble. For DoD contractors, avoiding FCA exposure starts with addressing these known compliance risk areas.
How CMMC, DFARS, and NIST 800-171 Connect to FCA Enforcement
.png?width=250&height=141&name=MAD%20SEC%20FT%20IMAGE%20-%20FCA%20Enforcement%20What%20Every%20DoD%20Contractor%20Needs%20to%20Know%20(3).png)
If you're a Department of Defense contractor, you’ve likely heard of CMMC, DFARS, and NIST 800-171. These frameworks are more than just checkboxes. They’re the baseline for how you’re expected to protect government data. What’s changed in the past year is that the Department of Justice is now using the False Claims Act to enforce them.
So, how do these standards tie into FCA risk?
Let’s start with DFARS 252.204-7012. This clause is included in most DoD contracts and requires contractors to provide "adequate security" for Controlled Unclassified Information (CUI). It points directly to NIST SP 800-171, which lays out 110 specific controls that must be implemented. If you claim to be compliant with DFARS, the government assumes you’ve implemented all those controls, or you’re actively working on them with a documented Plan of Action and Milestones (POA&M).
.png?width=250&height=141&name=MAD%20SEC%20FT%20IMAGE%20-%20FCA%20Enforcement%20What%20Every%20DoD%20Contractor%20Needs%20to%20Know%20(4).png)
The Cybersecurity Maturity Model Certification builds on these same standards. While full implementation of CMMC is still being phased in, it’s already influencing contract awards and enforcement trends. The DOJ has signaled that self-attestation is no longer enough, especially if it doesn’t reflect your cybersecurity posture.
Failing to meet these obligations, or falsely claiming you have, can turn a compliance gap into a potential false claim under the FCA. That’s why accurate self-assessments, complete System Security Plans, and honest reporting are now mission-critical for DoD contractors.
At MAD Security, we help clients not just “check the box” but truly meet the intent of these frameworks so they can operate with confidence and avoid enforcement risk.
What DoD Contractors Should Be Doing Right Now to Stay Compliant
With the Department of Justice actively enforcing the False Claims Act through cybersecurity compliance violations, DoD contractors cannot afford to take a “wait and see” approach. Proactive steps today can prevent costly mistakes, legal trouble, and the loss of future contracts. If your company handles CUI or works under contracts containing DFARS or CMMC clauses, here’s what you need to be doing right now.
-
Conduct a Cybersecurity Gap Assessment
Start by assessing where you actually stand. Many companies believe they’re compliant until they’re audited or investigated. A professional GRC Gap Assessment can uncover weaknesses in your NIST 800-171 implementation and identify whether your System Security Plan (SSP), POA&Ms, and control documentation are up to date.
-
Review and Validate Your SPRS Score
Your SPRS score is not just for internal tracking—it’s used by the Department of Defense to evaluate contract eligibility. Ensure your SPRS score is evidence-based, up-to-date, and defensible under audit scrutiny. If you haven’t updated it in a while, or if it was self-calculated without a third-party review, now is the time to recheck it.
-
Verify Your Third-Party Vendors
Cloud providers, email hosts, and other service vendors must meet the same standards you’re held to. Ensure they are FedRAMP Moderate compliant if they are storing or transmitting sensitive federal data. If they’re not, you could be out of compliance without realizing it.
-
Engage a CMMC Registered Provider Organization (RPO)
Working with a trusted partner like MAD Security, a CMMC RPO, ensures your organization isn’t navigating this complex environment alone. We help clients implement cybersecurity controls, build accurate documentation, and manage ongoing compliance, so when the government asks, you’re ready.
The reality is simple. FCA cybersecurity enforcement is increasing, and the contractors who succeed will be the ones who invest in their cybersecurity programs before there’s a problem.
How MAD Security Helps You Avoid FCA Cybersecurity Risk
.png?width=250&height=141&name=MAD%20SEC%20FT%20IMAGE%20-%20FCA%20Enforcement%20What%20Every%20DoD%20Contractor%20Needs%20to%20Know%20(5).png)
At MAD Security, we understand the real-world pressures that DoD contractors face. Navigating evolving cybersecurity standards like CMMC, DFARS, and NIST 800-171 can be overwhelming, especially when the stakes include multi-million-dollar False Claims Act penalties and the risk of losing government contracts.
Our team brings decades of hands-on experience supporting defense contractors, aerospace firms, research institutions, and critical vendors in the Defense Industrial Base (DIB). As a CMMC Registered Provider Organization (RPO), we go beyond paperwork. We embed NIST-aligned best practices into your people, processes, and technology to build a cybersecurity foundation that stands up to both audits and enforcement scrutiny.
With our Virtual Compliance Management (VCM) service, you get dedicated experts who help you maintain accurate System Security Plans, valid SPRS scores, documented POA&Ms, and ongoing monitoring. Our SOC-as-a-Service offers 24/7 threat detection and response, ensuring your environment is continuously protected and compliant.
.png?width=250&height=141&name=MAD%20SEC%20FT%20IMAGE%20-%20FCA%20Enforcement%20What%20Every%20DoD%20Contractor%20Needs%20to%20Know%20(6).png)
If you're unsure about your current cybersecurity posture or just starting to prepare for CMMC Level 2, we’re here to guide you step by step. Compliance doesn’t have to be confusing or stressful. With MAD Security, you gain a trusted partner committed to protecting your mission and helping you avoid the risks that come with cyber non-compliance.
Secure Your Future: Stay Compliant, Stay Competitive
The message from the Department of Justice is clear: cybersecurity compliance is now a legal requirement, not just a best practice. With the rise of False Claims Act enforcement targeting contractors who misrepresent or neglect their cybersecurity obligations, doing the bare minimum is no longer enough. Whether you're handling CUI, submitting SPRS scores, or preparing for CMMC Level 2, every aspect of your cyber program must be accurate, defensible, and up-to-date.
At MAD Security, we help DoD contractors' close compliance gaps, reduce risk, and confidently meet federal requirements. From gap assessments and System Security Plan development to SOC monitoring and Virtual Compliance Management, our team is ready to support your mission.
Take the first step today. Schedule a cybersecurity readiness consultation and find out how MAD Security can help you stay compliant, avoid penalties, and win more contracts.
Frequently Asked Questions (FAQS): FCA Cybersecurity Enforcement for DoD Contractors
To help you better understand the rising risks and responsibilities around False Claims Act cybersecurity enforcement, we’ve compiled answers to some of the most common questions from DoD contractors and subcontractors navigating DFARS, NIST 800-171, and CMMC requirements.
