This article was featured in the April 2025 edition of the Utility Contractors Association of New England, Inc.’s Construction Outlook.
The United States Department of Justice (“DOJ”) recently announced a $4.6 million settlement with a federal defense contractor for alleged “cybersecurity fraud” in connection with Department of Defense (“DOD”) contracts. According to the DOJ, the contractor allegedly violated the False Claims Act by seeking payment on federal contracts despite knowing that it was not in compliance with contractual cybersecurity requirements.
The case arose out of a whistleblower action. According to the settlement, the Defense Federal Acquisition Regulation Supplement (“DFARS”) requires DOD “contractors and subcontractors to provide adequate security on all covered contractor information systems . . . .” In addition, the settlement agreement noted that DFARS provides that any DOD contractor or subcontractor that “‘intends to use an external cloud storage provider to store, process, or transmit any covered defense information’” in connection with the performance of a covered contract “‘shall require and ensure that the cloud service provider meets’” certain applicable security requirements. These include requirements relating to “cyber incident reporting, malicious software, media preservation and protection” and “cyber incident damage assessment.”
According to the settlement agreement, the contractor allegedly used a third-party company to provide “software-as-a-service” hosting of its emails “without requiring and ensuring” that the third party met applicable security requirements. In addition, the contractor allegedly did not implement applicable cybersecurity controls which could give rise to various security risks. The contractor allegedly knew that it was not in compliance with applicable cybersecurity requirements.
Nevertheless, according to the settlement, the contractor allegedly submitted claims for payment to the federal government in connection with federal government contracts over a 5-year period. The settlement agreement stated that “[t]he United States contends that those claims for payment were false or fraudulent” allegedly because of the contractor’s knowledge of its cybersecurity shortcomings.
The contractor agreed to pay the United States $4,600,000.00 plus interest. Half of this settlement amount was designated as “restitution” in the settlement agreement. The settlement agreement further provided that the United States shall transfer 18.5% of the settlement payments to the whistleblower, good for payment of $851,000.00 to the whistleblower. The settlement agreement further required the contractor to pay approximately $200,000.00 to the whistleblower’s legal counsel to cover expenses, attorneys’ fees, and costs.
According to the DOJ, “[f]ederal contractors must fulfill their obligations to protect sensitive government information from cyber threats.” Another government official added that “[f]ailure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DOD data vulnerable to cyber threats and malicious actors.”
With advancing technology comes increased cybersecurity risks and – depending on the contract – increased cybersecurity-related requirements. Contractors that use third-party technology – such as document management systems, email systems, cloud-based storage and hosting systems and the like – should be mindful of the cybersecurity risks associated with the use of such systems. Contractors performing work under government contracts should be sure to adhere to applicable cybersecurity requirements and take active steps to determine whether they are in compliance with those requirements. Beyond the various risks associated with unauthorized access to and disclosure of data and information, failure to implement appropriate cybersecurity controls can lead to other potentially adverse consequences, such as the risk of False Claims Act exposure as in this case.