Recent developments in FCA cybersecurity enforcement for government contractors

Illumina, Inc.

On July 31, 2025, DOJ announced it had reached a $9.8 million settlement with Illumina, Inc. (“Illumina”) to resolve allegations that Illumina sold genomic sequencing systems (a type of medical device) to the government with software that allegedly contained cybersecurity vulnerabilities and, according to DOJ, lacked systems to identify and remedy these vulnerabilities.

In September 2023, a whistleblower filed a False Claims Act (“FCA”) qui tam case in federal court in the District of Rhode Island alleging that the company sold its products to multiple government agencies, including the DOJ, the Department of Defense (“DoD”), the National Aeronautics and Space Administration (“NASA”), the Department of Homeland Security (“DHS”), the Department of Agriculture (“USDA”), among others, while falsely representing that its products’ software adhered to the cybersecurity requirements for medical products set forth under the Food and Drug Administration’s Quality System regulation.

As a part of the settlement agreement, DOJ alleged that, from February 24, 2016 through September 28, 2023, the company knowingly:

• failed to incorporate cybersecurity throughout its product’s lifecycle (software design, development, installation, and monitoring);
• failed to properly support and resource personnel, systems, and processes tasked with product security;
• failed to adequately correct design features, which introduced cybersecurity vulnerabilities in the genomic sequencing systems; and,
• falsely represented that the software on the genomic sequencing systems adhered to contractually mandated cybersecurity standards.

Key Takeaway: This settlement illustrates DOJ’s focus on not only the importance of a contractor’s initial adoption and implementation of cybersecurity standards, but its affirmative obligations to monitor and maintain compliance with such standards.

Aero Turbine Inc.; Gallant Capital Partners LLC

On July 31, 2025, DOJ announced a settlement agreement with AeroTurbine, Inc. (“ATI”) and Gallant Capital Partners LLC (“Gallant”) (a private equity firm which owned a controlling share in ATI) for $1.75 million related to ATI’s alleged failure to comply with DoD cybersecurity requirements. According to the settlement agreement, ATI and Gallant “received credit” for submitting two voluntary disclosures reporting its noncompliance with cybersecurity standards under its 2017 contract with the U.S. Air Force (“USAF”) for General Electric J85 turbojet engine repair and maintenance.

First, ATI disclosed that, from January 1, 2018 until February 29, 2020, it had not fully implemented National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 cybersecurity controls required by Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012. Second, ATI disclosed that, from June 6, 2019 to July 29, 2019, it failed to control the flow of Controlled Unclassified Information (“CUI”) and failed to ensure that access to its information system was limited to authorized users, including by allowing a third-party software company with personnel in Egypt to access CUI. According to DOJ, ATI “assumed” that it had sufficiently met its NIST cybersecurity obligations by implementing export controls to protect technical data. However, apparently neither ATI nor Gallant verified whether ATI met the specific cybersecurity controls set forth in NIST SP 800-171, as required by its contract with USAF.

Key Takeaway: DOJ has recently confirmed that disclosure, cooperation, and remediation are mitigating factors but will not necessarily absolve a company of perceived cybersecurity violations.

Hill ASC Inc., d/b/a Hill Associates

In mid-July 2025, DOJ announced that Hill ASC, Inc., d/b/a Hill Associates (“Hill”), agreed to pay $14.75 million to settle several FCA allegations stemming from events occurring between April 6, 2018 and February 3, 2023 related to a General Services Administration (“GSA”) Multiple Award Schedule contract.

A portion of the settlement resolved allegations that the company submitted invoices under Department of Treasury task orders for cybersecurity services that it was neither approved to perform nor were within the scope of its contract. Specifically, the contract allegedly did not cover certain categories of cybersecurity services, including Highly Adaptive Cybersecurity Services, Cloud Computing and Cloud Related IT Professional Services, or IT Training. In addition, the company allegedly never passed an oral technical evaluation that is a requirement to provide the Highly Adaptive Cybersecurity Services it billed for.

Key Takeaway: This settlement underscores DOJ’s heightened enforcement focus on cybersecurity-related procurement fraud and the importance of good faith compliance with contract requirements for the delivery of security-critical services.

Raytheon Companies

In May 2025, DOJ settled a FCA qui tam lawsuit with Raytheon Company (“Raytheon”), its parent, RTX Corporation (“RTX”), and a divested entity for $8.4 million.

The case arose in 2021, prior to Raytheon’s acquisition of the business unit at issue, when a whistleblower filed a lawsuit against Raytheon for alleged misconduct between 2015 and 2021. In March 2024, RTX sold its Cybersecurity, Intelligence, and Services unit, which became the successor in liability for Raytheon and RTX.

The complaint alleged that the company violated the FCA by failing to implement certain cybersecurity controls on an internal network that was used to perform unclassified work on 29 DoD contracts and subcontracts. Specifically, DOJ alleged that, between August 2015 and June 2021, the company failed to develop and implement the required Security System Plan (“SSP”) for its internal network.

This alleged failure violated (i) DFARS 252.204-7012 requirements to provide “adequate security on all covered contractor information systems” that process or store covered defense information by implementing NIST SP 800-171, and (ii) Federal Acquisition Regulation (“FAR”) 52.204-21 requirements for contractors to apply “basic safeguarding requirements and procedures to protect covered contractor information systems” that process federal contract information.

Key Takeaway: This settlement is of note because it highlights DOJ’s focus on the importance of not just implementing, but also documenting cybersecurity safeguards, including through an SSP. Moreover, it highlights how a successor can face exposure for actions that occurred prior to an acquisition.

MORSECORP, Inc.

Similar issues to those in the May 2025 settlement were raised in the DOJ’s earlier settlement with MORSECORP, Inc. (“MORSE”) in March 2025. After a whistleblower filed a qui tam action against MORSE in January 2023, DOJ served MORSE with a subpoena relating to its cybersecurity practices. Almost exactly two years later, this past March, MORSE agreed to pay $4.6 million to resolve allegations that it had violated the FCA by billing the government while failing to comply with cybersecurity requirements in its contracts with the Departments of the Army and Air Force.

In particular, DOJ alleged, and MORSE admitted, that between January 2018 and September 2022, MORSE used a third-party company to host MORSE’s emails without requiring and ensuring that the third party (i) met security requirements equivalent to the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline, as required by DFARS 252.204-7012(b)(2)(ii)(d), and (ii) complied with additional DoD requirements for cybersecurity, including those requirements in DFARS 252.204-7012(c)-(g) (e.g., reporting cybersecurity incidents, submitting found malicious software to the Government, providing additional information in the event the Government requests a forensic analysis, etc.). DOJ further alleged that MORSE failed to implement all required NIST SP 800-171 controls, including the creation of an SSP, which allegedly exposed MORSE’s network to exploitation or exfiltration.

DOJ further alleged that MORSE failed to timely correct its submitted NIST assessment score. In January 2021, MORSE posted a near perfect assessment score of 104 for its implementation of NIST SP 800-171 security controls to the Supplier Performance Risk System (“SPRS”), as required under DFARS clauses 252.204-7019 and 252.204-7020. A subsequent gap analysis in July 2022, however, allegedly indicated that MORSE’s score was significantly lower (at -142) and that nearly 80% of the required NIST SP 800-171 controls were not ever or were only partially implemented. The Government alleged MORSE did not correct its score until nearly a year later—three months after the United States served MORSE in March 2023 with a subpoena concerning its cybersecurity practices.

Key Takeaway: As this case illustrates, federal contractors should confirm that their NIST assessment scores in SPRS are accurate, timely correct scores impacted by security gaps or changes, and work to promptly remediate such gaps or changes once identified.

U.S. health care insurance provider

In February 2025, DOJ resolved allegations that a U.S. health care insurance provider and its corporate parent had violated the FCA by falsely certifying compliance with certain cybersecurity requirements during its administration of the TRICARE health benefits program for DoD’s Defense Health Agency (“DHA”). The $11 million settlement included allegations that, between 2015 and 2018, the company (i) failed to satisfy certain cybersecurity controls, including controls from NIST SP 800-53 and DFARS 252.204-7012, and (ii) falsely certified compliance with such requirements in the company’s annual NIST Compliance Certifications to DHA in 2015, 2016, and 2017. Specifically, DOJ alleged that the company failed to timely scan for known vulnerabilities or to remedy security flaws on its networks and systems, and, further, alleged that the company ignored both internal and external audits of its system highlighting security risks to its network. As part of the agreed resolution, the insurance provider and its corporate parent denied the allegations and admitted no wrongdoing.

Key Takeaway: This settlement highlights DOJ’s focus on the importance of continuous monitoring and remediation—contractors cannot rely on one-time certifications but should employ other means to demonstrate ongoing compliance to reduce FCA risk. Companies should also take note that the parent company acquired the insurance provider in 2016, within the timeframe that the alleged misconduct occurred, and, by virtue of its acquisition, assumed the insurance provider’s actual and potential liabilities, including the ultimate FCA claims against it. This underscores the importance of robust due diligence when considering acquiring a federal government contractor. Potential exposure to FCA claims should be investigated and considered before an acquisition proceeds.

Georgia Institute of Technology

Finally, on September 30, 2025, the DOJ settled its FCA qui tam case against the Georgia Tech Research Corporation (“GTRC”) and the Georgia Institute of Technology (“Georgia Tech”) for $875,000, the first in which the DOJ filed a complaint in intervention. Briefly, in July 2022, two relators brought an FCA suit against GTRC and Georgia Tech, alleging that the defendants violated the cybersecurity requirements set forth in NIST SP 800-171 by failing to protect CUI under DoD contracts. DOJ intervened in August 2024, specifically alleging, among other things, that Georgia Tech failed to install, update or run required anti-virus software at Georgia Tech’s Astrolavos Lab and failed to implement a system security plan for the Astrolavos Lab.

Read our earlier update of the Georgia Tech case here.

Key Takeaway: This case is notable for the government’s complaint in intervention, which, while filed during the last Administration, still serves as a roadmap into DOJ’s thinking about these types of cases, signaling the agency’s priorities, legal theories, and enforcement approach.

Authored by Stacy Hadeka, Jasmeet Ahuja, Jonathan Diesenhaus, Taylor Hillman, Ashley Ruhe, and Zach Sanfilippo.