As the Department of Justice Affirms and Advances Its Cyber-Fraud Initiative, Government Contractors Should Take Steps to Ensure Cybersecurity Compliance | Ice Miller

While some areas of white-collar enforcement have been deprioritized by the Trump Administration, the Department of Justice (DOJ) remains committed to its Civil Cyber-Fraud Initiative as demonstrated by two recent False Claims Act (FCA) settlements. These cases are listed on Ice Miller’s updated Department of Justice “Cyber-Fraud” Case Tracker accompanying this article.

In announcing the settlement of one of the cases, Acting Assistant Attorney General Brett Shumate, head of the DOJ Civil Division, stated as follows:

“Companies that hold sensitive government information…must meet their contractual obligations to protect it. We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

The Senate Judiciary Committee recently held a hearing on Mr. Shumate’s nomination to become the permanent head of the DOJ Civil Division. During his testimony, Mr. Shumate reinforced the above statement by pledging to vigorously enforce the FCA, stating, “the False Claims Act is an essential tool that the Department [of Justice] uses to root out fraud, waste, and abuse.” To note, Mr. Shumate’s testimony is in line with the Trump Administration’s policy objectives to advance governmental efficiency by reducing fraud, waste, and abuse. As such, unlike in other areas, it is reasonable to expect robust FCA enforcement including in cybersecurity.

For more than three years, the DOJ has been opening and expanding investigations against government contractors and individuals working for them and bringing cases for alleged “cyber-fraud.” The DOJ Cyber-Fraud initiative was designed to hold accountable entities and individuals that knowingly misrepresent their cybersecurity practices or protocols. The DOJ is relying on statutory authority found in the FCA to raise cybersecurity standards as one of numerous policy goals related to the initiative.

The FCA is used to protect the federal government against false claims submitted by contractors and grant recipients to obtain federal funds. This statute permits the government to obtain treble damages and penalties from entities for knowingly submitting false claims for payment, including due to ignorance or reckless disregard (See 31 U.S.C. Section 3729 (a) and (b)). The FCA also includes a whistleblower provision that allows private parties to pursue fraudulent conduct and share in any recovery (31 U.S.C. Section 3730(b)). The Government may elect to intervene in such cases.

Last year, the DOJ intervened in an FCA case against Georgia Tech and filed a complaint in a matter that could become a landmark cyber-fraud case if the DOJ is successful in its fraud theories and survives Georgia Tech’s motion to dismiss. According to the docket, the judge recently recommended that the parties mediate the case. As such, this case could be on track to be resolved in lieu of litigation. A settlement conference is scheduled for May 28, 2025. Based on a review of the settlement agreements on the Ice Miller Cyber-Fraud Tracker, several key points are identified below.

Several successful fraud allegations have been based on mere contract noncompliance

As reflected by a subset of the settled allegations, a successful claim of cyber-fraud can be rooted in a breach of contract without a clear nexus to fraudulent conduct. To note, this section of the article focuses on contract-specific allegations in settlement agreements not accompanied by clear allegations of fraud. Here are examples of alleged contract violations that have been considered as fraud by the DOJ:

• A company stored sensitive medical records on an internal network drive, which non-authorized staff could have accessed, in alleged violation of a contract term (Comprehensive Health Services). The company allegedly failed to take adequate steps to address or fix the data storage and access vulnerability even after employees raised privacy concerns. The company also did not disclose in its claims for payment to the government that it had not complied with the contract term.
• A company allegedly failed to conduct contractually required cybersecurity testing prior to the launch of an application, leading to certain financial information for a limited number of individuals being accessible via commercial search engines on the Internet (Guidehouse/Nan McKay).
• A university used an external cloud service provider to process Covered Defense Information allegedly without requiring the provider to meet security requirements aligned with Federal Risk and Authorization Management Program (FedRAMP) Moderate or equivalent in violation of a standard Defense Federal Acquisition Regulations Supplement (DFARS) contract clause (Penn State).
• In alleged violation of standard DFARS provisions, a company used a software as a service provider to host emails without requiring the provider to meet FedRAMP Moderate or equivalent security requirements and failed flow-down incident reporting and related requirements imposed by the DFARS (MORSECORP).

While defendants typically do not make any admissions of liability when settling a case, future FCA plaintiffs may be encouraged by how routine noncompliance issues, such as a failure to flow-down a contract clause, can lead to a successful fraud case with a significant settlement.

Additionally, in the Penn State case, there was an allegation that the university failed to make progress to remediate security deficiencies within the milestone dates that it projected. This was treated as fraud by the DOJ even though it is common for delays to occur in information technology projects.

Government contractors should take cybersecurity compliance seriously

Below is a non-exhaustive list of best practices for government contractors to help safely navigate the enforcement environment related to cybersecurity.

Know and comply with your contracts

Because of the DOJ’s ongoing emphasis on detecting and preventing cyber-fraud, which includes a contract compliance component, government contractors should take appropriate steps to fully understand and comply with contractual terms related to cybersecurity and data protection. Such terms can be found not only in the Federal Acquisition Regulations (FAR) and DFARS, which incorporates NIST SP 800-171, but also in special clauses, other agency supplements, in statements of work, as well as government manuals and directives incorporated into government contracts. It is key to read the entire contract, including referenced documents, to understand the full scope of the requirements.

Once all cybersecurity contract provisions have been identified, a matrix of key provisions should be established and maintained, which would aid in tracking compliance. Depending on the facts and circumstances, in addition to remediating any noncompliance issues, it may be appropriate to notify government customers of any material and ongoing noncompliance that is discovered. Such a step can mitigate or reduce FCA liability (i.e., if the government is aware of the compliance issue and still pays its invoices).

Include cybersecurity in compliance programs and efforts

Considering the DOJ’s reliance on employee whistleblowers to identify potential cyber-fraud claims, it is important for government contractors to establish and maintain robust compliance programs related to cybersecurity. These issues should not be left solely to the Information Technology and/or Information Security organizations or personnel for contractors, particularly to the extent these functions are outsourced to third-party-managed services providers. It is key for in-house lawyers, contracts professionals, and compliance personnel to be sufficiently knowledgeable about cybersecurity and capable of asking good questions to promote and ensure compliance.

Relatedly, when an employee raises a question or concern about cybersecurity compliance, responsible government contractors should appropriately review and respond to the question or concern. Such diligence is often an antidote to allegations of recklessness that could be made later by the DOJ or whistleblowers to support an FCA case.

Bring in outside counsel as appropriate

Some cybersecurity regulations are ambiguous and susceptible to multiple interpretations. Indeed, this was by design when the National Institute of Standards and Technology (NIST) initially developed standards for nonfederal contracts.

When questions arise, it is important for government contractors to be able to understand the nuance and regulatory history supporting contract clauses, which can date back a decade or more. Since the answers are not always clear, it can be helpful in such situations to retain an experienced outside counsel and experts to advise on judgment calls and risk management issues related to compliance.

Protect your company by safeguarding your information technology systems and sensitive information

In addition to the enforcement risks, government contractors face real-world threats to data security every day and the accompanying enterprise-wide risks and disruption when there is a breach. Compliance with cybersecurity requirements in government contracts is not an abstract exercise. By meeting such requirements, contractors can mitigate risks to the information systems and sensitive data entrusted to them by the federal government and position their companies for continued business success.