Recent settlements for contract violations offer clear lessons that must be learned from because government contractors are evaluated long after the ink dries on a contract. Expectations persist for the life of the contract, and company leaders are expected to affirm that the required controls remain in place. When those affirmations diverge from reality, the Department of Justice has shown it will act.
Table of Contents
The Justice Department’s Latest False Claims Act Settlements
Since launching the Civil Cyber-Fraud Initiative in 2021, the DOJ has announced roughly 15 settlements tied to contractor cybersecurity representations, including six in just the past few months.
While the industries and fact patterns vary, the common thread is simple: misstated cybersecurity claims – whether in self-assessments, product capabilities, or supplychain controls – are one of the leading drivers of enforcement risk for federal contractors.
Drawn from four recent settlements, you’ll explore 11 lessons highlighting where regulators are focusing enforcement today, and the risks you must manage to protect future revenue and awards.
1. Contractor bills for security capabilities they weren’t approved to deliver.
Who was involved?
Hill ASC Inc.
What happened?
Hill ASC, a Maryland IT company, allegedly billed federal agencies for highly adaptive cybersecurity services that required a technical evaluation it had not passed. Although the company had not received approval to offer those services under its GSA contract, it still submitted invoices for them.
Additional alleged misconduct included:
- Billing for IT personnel who did not meet the required education or experience standards
- Charging unapproved fees
The Department of Justice (DOJ) treated the conduct as alleged billing and contract fraud under the False Claims Act, which Hill resolved through a $14.75 million settlement.
Takeaway from the Hill Settlement
If your company claims compliance, capability, or eligibility that isn’t fully true, the government sees that as a false statement and will hold you accountable.
Keep in mind that:
- “We’re basically compliant” is not compliant.
- “We plan to fix that later” doesn’t count under the framework.
- If your contracts, invoices, or proposals imply you meet CMMC or NIST 800171 controls, you must actually meet them.
2. Contractor sold systems with security vulnerabilities to federal agencies.
Who was involved?
Illumina Inc.
What happened?
Illumina, a San Diego biotechnology company, sold genomic sequencing systems to federal agencies that allegedly contained known cybersecurity vulnerabilities. According to the DOJ, the company lacked an adequate product security program but still sold the systems and submitted claims for payment.
Additional alleged misconduct included:
- Inadequate cybersecurity was built into software design and development
- Insufficient resourcing of product security personnel and processes
- Failure to remediate known design-related vulnerabilities
- Misrepresenting compliance with ISO and NIST cybersecurity standards
While Illumina denied wrongdoing, it agreed to a $9.8 million settlement to resolve the False Claims Act allegations.
Takeaway from the Illumina Settlement
Cybersecurity liability doesn’t stop with your internal IT environment. It extends to the products you sell, the software you ship, and the systems you integrate with customers – especially federal ones.
Keep in mind:
- If your product interacts with government systems or data, secure design matters.
- Delivering something that “works” but isn’t secure can trigger enforcement.
3. Contractor self-reports noncompliance after letting data leave the country.
Who was involved?
Defense contractor Aero Turbine Inc. and its private equity owner, Gallant Capital Partners LLC
What happened?
Aero Turbine, a California maintenance, repair, and overhaul (MRO) services provider, was contractually required to implement NIST SP 800171 controls to protect controlled Defense information under an Air Force contract; however, they allegedly failed to do so.
According to the DOJ, those gaps were compounded when sensitive defense data was shared with an unauthorized Egypt-based software company, exposing controlled information outside of approved channels.
The DOJ treated the matter as alleged False Claims Act liability tied to cybersecurity noncompliance, while also noting that Aero Turbine and Gallant took corrective action through timely self-disclosure and cooperation with the government.
The case was ultimately resolved through a $1.75 million settlement.
Takeaway from the Aero Turbine & Gallant Settlement
Failing to control the flow of, and limit unauthorized access to, sensitive defense information – especially across the supply chain – can quickly create enforcement risk. As soon as any issues surface, make sure to:
- Promptly self-disclose the issues.
- Cooperate with investigations.
- Take remedial measures as quickly as possible.
4. Contractor fakes self-assessment score and skips basic cyber hygiene.
Who was involved?
Georgia Tech Research Corp.
What happened?
This case began with a whistleblower complaint. According to the DOJ, Georgia Tech Research Corporation allegedly failed to meet required cybersecurity controls while conducting sensitive defense research, including:
- Conducting defense research without installing, updating, or running required anti‑virus or anti‑malware tools
- Failing to maintain a System Security Plan (SSP)
- Submitting a false self‑assessment score of 98, based on a “fictitious” or virtual environment not actually used to process defense data
The civil cyber-fraud litigation was resolved through an $875,000 settlement under the False Claims Act.
Takeaway from the Georgia Tech Settlement
The Georgia Tech settlement is a reminder that a breach isn’t required to attract the DOJ’s attention. In fact, whistleblower complaints alone can be enough to trigger scrutiny. That’s why overstating your cybersecurity posture – especially through inaccurate self-assessment scores -can quickly turn into False Claims Act exposure.
And when those claims aren’t backed by well-maintained SSPs, the risk only compounds. Because they’re foundational to CMMC compliance – letting them slide can put a contract in jeopardy.
Steps Executives Should Take to Grow their Business
To reduce risk and avoid DOJ scrutiny, you should:
- 1. Understand your contractual obligations (especially NIST 800171 and CMMC Level 2).
- 2. Ensure assessments reflect reality, not your organization’s aspirations.
- 3. Align IT, security, legal, and finance on what your company claims in contracts and invoices.
- 4. Implement ongoing compliance monitoring, not one-time audits.
- 5. Treat cybersecurity as a revenue protection strategy, not a cost center.
Reflecting on the False Claims Act Lessons
Across these cases, the consequences stemmed from the gaps between what contractors claimed they had and what they actually maintained. This demonstrates that maintaining accurate assessments, having complete controls, and current SOPs is essential to protecting DIB contractors’ revenue. Ultimately, organizations that treat cybersecurity as a continuous, executive-level discipline will be the ones positioned to compete and grow.
