Since January 2025, the Justice Department has been aggressively holding federal contractors accountable for violating cybersecurity violations under the False Claims Act.
Over the last 11 months, the Trump administration has announced six settlements out of the 14 since the initiative began in 2021.
Sara McLean, a former assistant director of the DOJ Commercial Litigation Branch’s Fraud Section and now a partner with Akin, said the Trump administration has made a much more significant push to hold companies, especially those that work for the Defense Department, accountable for meeting the cyber provisions of their contracts.
Sara McLean is a former assistant director of the DOJ Commercial Litigation Branch’s Fraud Section and now is a partner with Akin,
“I think there are going to be a lot more of these announcements. There’s been a huge uptick just since the beginning of the administration. That is just absolutely going to continue,” McLean said during Federal News Network’s Risk & Compliance Exchange 2025.
“The cases take a long time. The investigations are complex. They take time to develop. So I think there are going to be many, many, many more announcements, and there’s a lot of support for them. Cyber enforcement is now embedded in what the Justice Department does every day. It’s described as the bread and butter by leadership.”
A range of high-profile cases
A few of the high-profile cases this year so far include a $875,000 settlement with Georgia Tech Research Corp. in September and a $1.75 million settlement in August with Aero Turbine Inc. (ATI), an aerospace maintenance provider, and Gallant Capital Partners, a private equity firm that owned a controlling stake in ATI during the time period covered by the settlement.
McLean, who wouldn’t comment on any one specific case, said in most instances, False Claims Act allegations focus on reckless disregard for the rules, not simple mistakes.
“We’ve seen in some of the more recent announcements new types of fact patterns. What happens is when announcements are made that DOJ has pursued a matter and has resolved a matter, that often leads to the qui tam relators and their attorneys finding more matters like that and filing them,” said McLean who left federal service in October after almost 27 years. “It’ll be interesting to see if these newer fact patterns yield more cases that are similar.”
Recent cases that involve the security of medical devices or the qualifications of cyber workers performing on government contracts are two newer fact patterns that have emerged over the last year or so.
Launched in 2021, the Justice’s Civil-Cyber Fraud initiative uses the False Claims Act to ensure contractors and grantees meet the government’s cybersecurity requirements.
President Joe Biden signed an executive order in May 2021 that directed all agencies to improve “efforts to identify, deter, protect against, detect and respond to” malicious cyberthreats.
130 DOJ lawyers focused on cyber
Justice conducted a 360 review of cyber matters and related efforts, and one of the areas that emerged was to use the False Claims Act to hold contractors and grantees accountable and drive a change in behavior.
“The motivation was largely to improve cybersecurity and also to protect sensitive information, personal information, national security information, and to ensure a level playing field, so that you didn’t have some folks who were meeting the requirements and others who were not,” McLean said.
“It was to ensure that incidents were being reported to the extent the False Claims Act could be used around that particular issue. Because the thought was that would enable the government to respond to cybersecurity problems and that still is really the impetus now behind the enforcement.”
McLean said the Civil-Cyber Fraud initiative is now embedded as part of the DOJ’s broader False Claims Act practice. It has about 130 lawyers, who work with U.S. attorney’s offices as well as agency inspectors general offices.
Typically, an IG begins an investigation either based on a qui tam or whistleblower filing, or a more traditional review of contracts and grants.
The IG will assign agents and DOJ lawyers will join as part of the investigative team.
McLean said the agents are on the ground, interviewing witnesses and applying all the resources that come from the IGs. DOJ then decides, based on the information the IGs bring back, to either take some sort of action, such as intervening in a qui tam lawsuit and taking it over, or to decline or settle with a company.
“They go back to the agency for a recommendation on how to proceed. So it’s really the agencies and DOJ who are really in lockstep in these matters,” she said. “DOJ is making the decision, but it’s based on the recommendation of the agencies and with the total support of the agencies.”
Many times, Justice decides to intervene in a case or seek a settlement depending on whether the company in question has demonstrated reckless disregard for federal cyber rules and regulations.
McLean said a violation of the False Claims Act requires only reckless disregard, not intentional fraud.
“It’s critically important for anyone doing business with the government, especially those who are signing a contract and agreeing to do something, to make sure that they understand what that is, especially in the cybersecurity area,” she said. “What they’ve signed on to can be quite complicated. It can be legally complicated. It can be technically complicated. But signing on the dotted line without that understanding is just a recipe for getting into trouble.”
When a whistleblower files a qui tam lawsuit, McLean said that ratchets up the entire investigation. A whistleblower can be entitled to up to 30% of the government’s recovery, whether through a decision or a settlement.
Self-disclosures encouraged
If a company doesn’t understand the requirements and doesn’t put any resources into trying to understand and comply with them, that can lead to a charge of reckless disregard.
“When it comes to employee qualifications, it’s the same thing. If a contract says that there needs to be this level of education or there needs to be this level of experience, that is what needs to be provided. Or a company can get into trouble,” McLean said.
“The False Claims Act applies to making false claims and causing false claims. It’s not just the company that’s actually directly doing business with the government that needs to worry about the risk of False Claims Act liability, because a company that’s downstream, like a subcontractor who’s not submitting the claims to the government, could be found liable for causing a false claim, or, say, an assessor could be found liable for causing a false claim, or a private equity company could be found liable for causing a false claim. There are individuals who can be found liable for causing and submitting false claims.”
She added that False Claims Act allegations can apply not only to just the one company that has the direct relationship with the government but also to their partners if they are not making a good faith effort to comply.
But when it’s a mistake, maybe an overpayment or something similar, the company can usually claim responsibility and address the problem quickly.
“DOJ has policies of giving credit in False Claims Act settlements for self-disclosure, cooperation and remediation. That is definitely something that is available and that companies have been definitely taking advantage of in this space,” McLean said. “DOJ understands that there’s more focus on cybersecurity than there used to be, and so there are companies that maybe didn’t attend to this as much as they now wish they had in the past. The companies discover that they’ve got some kind of a problem and want to fix it going forward, but then also figure out, ‘How do I make it right and in the past?’ ”
McLean said this is why vendors need to pay close attention to how they comply with the DoD’s new Cybersecurity Maturity Model Certification.
She said when vendors sign certifications that they are complying with CMMC standards without fully understanding what that means, that could be considered deliberate ignorance.
“Some courts have described it as gross negligence. Negligence would be a mistake. I don’t know if that helps for the for the nonlawyers, but corporations which do not inform themselves about the requirements or not taking the steps that are necessary, even if it’s not through necessarily ill intent, but it’s not what the government bargained for, and it’s not just an accident. It’s a little bit more than that, quite a bit more than that,” she said.
“The one thing that’s important about that development is it does involve more robust certifications, and that is something that can be a factor in a case being a False Claims Act and a case being more or less likely to be one that the government would take over. Because signing a certification when the information is not true starts to look like a lie, which starts to look like the more intentional type of fraud … rather than a mistake. It looks reckless to be signing certifications without doing this review to know that the information that’s in there is right.”
Discover more articles and videos now on our Risk & Compliance Exchange 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
