Investigations into alleged violations of cybersecurity requirements under the federal civil False Claims Act (FCA) and its state analogues are increasingly an area of focus for the U.S. Department of Justice (DOJ), state attorneys general and whistleblowers (known as qui tam plaintiffs or relators under the FCA). We expect a continued uptick in enforcement activity, leading to elevated risk and additional potential financial exposure for companies subject to government cybersecurity requirements.
First, federal agencies and state and local governments are imposing progressively stricter cybersecurity requirements in their contracts that will ultimately apply to a broader set of contractors than before.
For example, when the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC) regulations go into effect on November 10, 2025, they will remove certain flexibility currently afforded to contractors that handle controlled unclassified information (CUI); contractors will be required to fully implement required cybersecurity controls, undergo additional assessments — including third party assessments in some instances — to validate implementation of these controls and periodically self-attest to the government that they have implemented and will continue to maintain compliance with all applicable requirements for CMMC status.
More generally, the U.S. government has been working for many years on a rule that would impose rigorous cybersecurity controls for CUI on contractors to most federal agencies. Although some agencies already impose cybersecurity requirements, if implemented this rule will apply across the government and will likely increase the number of companies that must comply with these types of rigorous cybersecurity obligations.
Finally, state and local governments have continued to impose new cybersecurity requirements in their contracts for products and services, of which the GovRAMP program (formerly called StateRAMP) is a prominent example.
Second, DOJ continues to see FCA enforcement as a priority to enforce aggressively and is now several years up the learning curve in understanding technical cybersecurity requirements. We are increasingly seeing settlement agreements under the federal FCA that cite technical or esoteric aspects of cybersecurity requirements and cybersecurity requirements applicable to a broad range of technologies — including information systems and devices — and DOJ is pursuing cases that involve complex cybersecurity issues. DOJ has continued to identify procurement fraud as a major priority, both from a criminal and a civil perspective, so we expect DOJ’s focus on civil and criminal cybersecurity fraud to continue. We expect to see similar trends at the state and local levels, as cybersecurity becomes more of a focus for state and local enforcement authorities.
Third, the increased publicity surrounding settlements related to cybersecurity fraud — including discussions of the recoveries that whistleblowers receive in those suits — will likely encourage additional qui tam actions that in turn encourage additional government investigations.
DOJ is actively encouraging whistleblowers to come forward, and the vast majority of cyber fraud settlements in the past few years have resulted from these so-called “qui tam” cases. Although the technical nature of allegations of cybersecurity fraud can make these cases difficult for the DOJ to investigate and assert, qui tam plaintiffs can help to address some of these challenges. Qui tam relators are often current or former employees of a company with technical backgrounds and direct knowledge of the state of an organization’s cybersecurity program, and their input can be instrumental to the government’s ability to understand the facts.
The likely pattern of increased enforcement also poses increased financial risk for contractors in the cybersecurity arena. Although some of the more recent cybersecurity fraud settlements have been somewhat modest, these amounts represent only a fraction of the expense of responding to an allegation of cybersecurity fraud.
For example, companies responding to such allegations typically undertake their own investigation to assess the validity of the allegations and develop the factual record, which may require obtaining counsel highly experienced in the technical aspects of these cases.
Further, an investigation can require significant attention from company leadership. Thus, even where a company successfully mounts a complete or partial defense, practical aspects and expenses of an investigation can greatly outweigh the cost of any potential settlement — which means that when you read about the latest FCA cybersecurity settlements, assume that the overall financial loss to the company in question was far greater than the disclosed settlement amount.
