The Department of Justice sends a clear message to defense contractors: cybersecurity compliance is not optional, and the consequences of falling short are more serious than ever. With multiple companies already facing millions of dollars in fines under the False Claims Act (FCA), the government is showing no hesitation in holding organizations accountable for misrepresenting or neglecting their cybersecurity obligations.
For Department of Defense (DoD) contractors and subcontractors, this shift isn’t just a legal development. It’s a wake-up call. The DOJ’s Civil Cyber-Fraud Initiative is actively investigating contractors who falsely certify their compliance with cybersecurity requirements. These cases aren’t about data breaches alone. They often involve overlooked basics like incomplete System Security Plans (SSPs), inaccurate NIST 800-171 self-assessments, or failure to follow DFARS and CMMC guidelines.
At MAD Security, we’ve seen firsthand how even well-meaning contractors can find themselves in the DOJ’s crosshairs. This article breaks down what FCA cybersecurity enforcement means, the risks DoD contractors need to be aware of, and what steps your organization should take to stay ahead of enforcement trends while protecting your federal contracts.
Thanks to the Department of Justice’s Civil Cyber-Fraud Initiative, launched in late 2021, the FCA is being applied to a new category of fraud: contractors who falsely claim they are meeting required cybersecurity standards. This shift has major implications for DoD contractors, especially those working under contracts that include DFARS 252.204-7012 or Federal Acquisition Regulation (FAR) 52.204-21 clauses.
When a company submits an invoice or progress report to the government, it is also certifying that it is following the rules outlined in the contract. That includes maintaining adequate cybersecurity protections, especially if the company handles Controlled Unclassified Information (CUI) or other sensitive federal data. If a contractor knows they are not compliant, but bills the government anyway, the DOJ can treat that as a false claim under the law.
The Department of Justice has significantly ramped up enforcement against government contractors who fail to meet cybersecurity requirements. The cases from 2024 into 2025 are not just cautionary tales. They are real-world examples showing that False Claims Act cybersecurity enforcement is no longer theoretical. It is happening now, and it is hitting companies across industries, from defense contractors to universities to healthcare providers.
Let’s take a closer look at a few of the most impactful cases:
Raytheon, one of the most recognized defense contractors, settled FCA allegations over failing to implement required cybersecurity controls on systems used in at least 29 Department of Defense contracts. The company had no System Security Plan (SSP) in place for a key internal network, and the DOJ saw this as a material failure under DFARS 252.204-7012. The result? A multi-million dollar payout and national headlines. This case alone highlights how even internal systems, if connected to federal work, must be compliant.
MORSECORP reported an impressive cybersecurity score of 104 out of 110 in the Supplier Performance Risk System (SPRS). But a third-party audit later revealed their real score was closer to minus 142. That massive gap, plus the use of a non-FedRAMP email provider and delayed reporting, led to a substantial FCA settlement. The company also admitted to a long list of specific compliance failures.
This case shows that cybersecurity failures without a breach can still carry serious consequences. Health Net repeatedly certified that it was compliant with DoD TRICARE cybersecurity standards, even though internal and external audits had flagged serious risks. Ignoring these warnings and continuing to certify compliance was enough to trigger DOJ enforcement under the FCA.
Every contractor handling Controlled Unclassified Information is required under DFARS 252.204-7012 to maintain a System Security Plan. Yet, multiple companies, including Raytheon and MORSECORP, were penalized for operating without one or for having an outdated, incomplete version. An SSP is not optional. It’s the foundation of your cybersecurity posture.
So, how do these standards tie into FCA risk?
Let’s start with DFARS 252.204-7012. This clause is included in most DoD contracts and requires contractors to provide "adequate security" for Controlled Unclassified Information (CUI). It points directly to NIST SP 800-171, which lays out 110 specific controls that must be implemented. If you claim to be compliant with DFARS, the government assumes you’ve implemented all those controls, or you’re actively working on them with a documented Plan of Action and Milestones (POA&M).
Failing to meet these obligations, or falsely claiming you have, can turn a compliance gap into a potential false claim under the FCA. That’s why accurate self-assessments, complete System Security Plans, and honest reporting are now mission-critical for DoD contractors.
At MAD Security, we help clients not just “check the box” but truly meet the intent of these frameworks so they can operate with confidence and avoid enforcement risk.
With the Department of Justice actively enforcing the False Claims Act through cybersecurity compliance violations, DoD contractors cannot afford to take a “wait and see” approach. Proactive steps today can prevent costly mistakes, legal trouble, and the loss of future contracts. If your company handles CUI or works under contracts containing DFARS or CMMC clauses, here’s what you need to be doing right now.
Start by assessing where you actually stand. Many companies believe they’re compliant until they’re audited or investigated. A professional GRC Gap Assessment can uncover weaknesses in your NIST 800-171 implementation and identify whether your System Security Plan (SSP), POA&Ms, and control documentation are up to date.
Your SPRS score is not just for internal tracking—it’s used by the Department of Defense to evaluate contract eligibility. Ensure your SPRS score is evidence-based, up-to-date, and defensible under audit scrutiny. If you haven’t updated it in a while, or if it was self-calculated without a third-party review, now is the time to recheck it.
Cloud providers, email hosts, and other service vendors must meet the same standards you’re held to. Ensure they are FedRAMP Moderate compliant if they are storing or transmitting sensitive federal data. If they’re not, you could be out of compliance without realizing it.
Our team brings decades of hands-on experience supporting defense contractors, aerospace firms, research institutions, and critical vendors in the Defense Industrial Base (DIB). As a CMMC Registered Provider Organization (RPO), we go beyond paperwork. We embed NIST-aligned best practices into your people, processes, and technology to build a cybersecurity foundation that stands up to both audits and enforcement scrutiny.
With our Virtual Compliance Management (VCM) service, you get dedicated experts who help you maintain accurate System Security Plans, valid SPRS scores, documented POA&Ms, and ongoing monitoring. Our SOC-as-a-Service offers 24/7 threat detection and response, ensuring your environment is continuously protected and compliant.
The message from the Department of Justice is clear: cybersecurity compliance is now a legal requirement, not just a best practice. With the rise of False Claims Act enforcement targeting contractors who misrepresent or neglect their cybersecurity obligations, doing the bare minimum is no longer enough. Whether you're handling CUI, submitting SPRS scores, or preparing for CMMC Level 2, every aspect of your cyber program must be accurate, defensible, and up-to-date.
At MAD Security, we help DoD contractors' close compliance gaps, reduce risk, and confidently meet federal requirements. From gap assessments and System Security Plan development to SOC monitoring and Virtual Compliance Management, our team is ready to support your mission.
Take the first step today. Schedule a cybersecurity readiness consultation and find out how MAD Security can help you stay compliant, avoid penalties, and win more contracts.
To help you better understand the rising risks and responsibilities around False Claims Act cybersecurity enforcement, we’ve compiled answers to some of the most common questions from DoD contractors and subcontractors navigating DFARS, NIST 800-171, and CMMC requirements.