Defense Contractor Reaches Settlement in False Claims Act Investigation

0
4

Key Takeaways

  • The Department of Justice is treating cybersecurity non‑compliance as a False Claims Act (FCA) violation, exposing contractors to significant financial penalties.
  • A recent settlement exceeded $500,000 for a defense contractor that allegedly failed to implement required NIST SP 800‑171 controls while continuing to bill the government.
  • Low scores under the DoD cybersecurity assessment methodology (e.g., –170) can serve as evidence of material vulnerabilities and support FCA claims.
  • Contractors who certify compliance, submit self‑assessments, or accept payment despite known deficiencies risk fraud liability under the FCA.
  • NIST SP 800‑171 requirements, often flowed down via DFARS 252.204‑7012 and similar clauses, are now a focal point of fraud enforcement, not just a contractual checklist.
  • Federal agencies are coordinating with investigative bodies (NCIS, DCMA, DoD cybersecurity teams) to identify and pursue cybersecurity‑related fraud.
  • Proactive self‑assessment, accurate System Security Plans, and honest certifications are essential to mitigate FCA exposure.

Overview of the DOJ Settlement
The Department of Justice recently announced a settlement in which a defense contractor agreed to pay more than $500,000 to resolve allegations that it knowingly failed to meet cybersecurity obligations embedded in its Navy contracts. While continuing to perform work and submit invoices for payment, the contractor allegedly did not implement the security controls required to protect Controlled Unclassified Information (CUI). The case illustrates the DOJ’s willingness to pursue monetary remedies beyond traditional contract remedies, signaling that cybersecurity lapses can now trigger civil fraud claims under the False Claims Act.

Details of the Alleged Cybersecurity Failures
According to the DOJ, the contractor’s alleged shortcomings concerned the implementation of controls prescribed by NIST Special Publication 800‑171, the federal standard for safeguarding CUI on nonfederal systems. Over a span of nearly four years, the contractor purportedly left essential safeguards unimplemented while still certifying compliance and requesting payment. These ongoing deficiencies were said to have left contractor systems vulnerable to exploitation or unauthorized exfiltration of sensitive defense information, thereby jeopardizing national security interests.

Assessment Scores and Their Significance
The contractor’s deficiencies were uncovered during an evaluation by the Defense Contract Management Agency, which assigned a cybersecurity assessment score of negative 170 under the DoD’s scoring methodology. Because the scoring range extends from negative 203 (worst) to positive 110 (best), a score of –170 indicates a severe shortfall in security posture. The DOJ cited this low score as evidence that the contractor’s systems harbored material vulnerabilities, reinforcing the argument that the contractor’s certifications of compliance were false or misleading.

False Claims Act as a Cybersecurity Enforcement Tool
This settlement exemplifies the DOJ’s expanding use of the False Claims Act to address cybersecurity shortcomings among federal contractors. Historically, cybersecurity violations were handled through contract disputes, poor performance ratings, cure notices, or potential suspension and debarment. Now, the government is framing such deficiencies as fraudulent conduct when contractors affirm compliance while knowingly falling short, thereby turning routine invoices into the basis for FCA liability.

Legal Theory Behind FCA Liability for Cybersecurity
The underlying legal theory is straightforward: if a contractor agrees to comply with mandatory cybersecurity clauses, represents that compliance to the government, and submits claims for payment despite being aware of deficiencies, those payment requests constitute false claims. The FCA imposes treble damages and penalties on anyone who knowingly presents, or causes to be presented, a false or fraudulent claim for government payment. By aligning cybersecurity obligations with false‑statement liability, the DOJ has created a powerful deterrent against lax security practices.

Importance of NIST SP 800‑171 Compliance
For the majority of defense contractors, NIST SP 800‑171 is the baseline cybersecurity standard mandated by contract clauses such as DFARS 252.204‑7012 and related provisions. Compliance is not merely a technical checkbox; it is a contractual certification that the government relies upon when awarding and paying for work. The recent enforcement action underscores that even partial noncompliance can be deemed material, especially when contractors continue to certify full adherence while knowingly neglecting required controls.

Contractual Clauses and Common Missteps
Many contractors delegate cybersecurity responsibilities to internal IT teams or third‑party managed service providers, treating the obligations as purely technical. This case demonstrates that such delegation does not relieve the contractor of legal accountability for certifying compliance. Common pitfalls include outdated System Security Plans, incomplete Plans of Action and Milestones (POA&M), and self‑assessment scores that overstate the actual security posture. When these documents diverge from reality, they can serve as evidence of false certification under the FCA.

Broader Federal Fraud Enforcement Landscape
The settlement arrives amid a heightened federal focus on fraud, waste, and abuse across government programs. The administration has launched a Task Force to Eliminate Fraud and a new National Fraud Enforcement Division, both emphasizing the False Claims Act as a cornerstone of anti‑fraud initiatives. Consequently, cybersecurity enforcement is unlikely to wane; agencies are increasingly coordinating with investigative entities such as the Naval Criminal Investigative Service, the Defense Contract Management Agency, and specialized DoD cybersecurity assessment teams to uncover contractor noncompliance.

Practical Recommendations for Contractors
In light of this evolving enforcement environment, defense contractors should take immediate, concrete steps:

  • Conduct a comprehensive gap analysis against NIST SP 800‑171 controls and update System Security Plans to reflect actual implementation.
  • Ensure that Plans of Action and Milestones accurately document any deficiencies and include realistic timelines for remediation.
  • Align internal certifications, self‑assessment scores, and invoicing practices with the verified security posture to avoid false statements.
  • Involve legal and compliance teams early in the contracting process to understand the FCA implications of cybersecurity representations.
  • Maintain continuous monitoring and periodic third‑party audits to demonstrate ongoing compliance and readiness for government scrutiny.

By proactively addressing cybersecurity compliance, contractors can reduce their exposure to False Claims Act liability, protect their reputation, and preserve their eligibility for future federal work.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here