By Scott P. Fitzsimmons, Senior Partner (Washington, DC)
A recent series of high-profile settlements has drawn attention to the U.S. Department of Justice’s (DOJ) pursuit of fraud cases involving cybersecurity and federal contracting. These settlements arise from the Civil Cyber-Fraud Initiative, launched in October 2021, which aims to enforce accountability among contractors under the False Claims Act (FCA), 31 U.S.C. §§ 3729–3733. At the heart of these cases are allegations that contractors failed to adhere to stringent cybersecurity requirements imposed by the federal government, including those outlined in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and 252.204-7019.
Recently, Pennsylvania State University (Penn State) settled with DOJ over allegations surrounding the university’s cybersecurity actions. As the most recent example of DOJ’s enforcement efforts, contractors should be aware of their obligations related to cybersecurity and the risk of non-compliance.
The Penn State Settlement: A Warning to All Federal Contractors
On October 4, 2024, Penn State agreed to pay $1.25 million to settle allegations that it had violated federal cybersecurity obligations under multiple Department of Defense (DoD) contracts. The case arose from a whistleblower action filed by the former chief information officer for Penn State’s Applied Research Laboratory. See U.S. ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.). DOJ alleged that the university failed to implement NIST SP 800-171 security controls, a requirement for safeguarding Controlled Unclassified Information (CUI). As mandated by DFARS 252.204-7012, contractors handling CUI must adopt the NIST controls to prevent unauthorized access to sensitive government data. DOJ alleged that Penn State not only missed implementation deadlines but also knowingly submitted inaccurate compliance reports to the Supplier Performance Risk System (SPRS), misleading federal agencies about the true state of its cybersecurity readiness.
DOJ asserted that Penn State’s violations spanned from 2018 through 2023, during which time the university received federal funds without fully complying with contract requirements. Although the university disclosed some of its cybersecurity deficiencies by November 2020, the DOJ contended that the university did not take adequate steps to remediate the issues. The case demonstrates that contractors cannot rely on partial compliance or self-reporting alone to avoid FCA liability.
The AFDS Case: Fallout from a Cybersecurity Breach
Another illustrative case involves ASRC Federal Data Solutions (AFDS), which settled with the DOJ on October 15, 2024, agreeing to pay $306,722. This settlement followed a data breach involving unencrypted screenshots containing sensitive Medicare beneficiary data. Under its contract with the Centers for Medicare and Medicaid Services (CMS), AFDS was required to adhere to federal cybersecurity standards. AFDS’s subcontractor, however, allegedly stored these screenshots without encryption, violating the contract’s Rules of Behavior and other cybersecurity provisions. A breach in October 2022 exposed the files, and although AFDS promptly notified CMS and cooperated with the DOJ investigation, the DOJ still pursued a False Claims Act violation. The DOJ’s decision to credit AFDS for its quick response and remedial actions, such as providing credit monitoring, underscores the importance of swift action in mitigating liability.
The Guidehouse and NMA Settlements: Pre-Launch Failures
In May 2024, the DOJ secured a joint settlement of $11.3 million from Guidehouse Inc. and Nan McKay & Associates (NMA). The case revolved around alleged failure to perform required cybersecurity testing before launching a system used to distribute funds under New York’s Emergency Rental Assistance Program (ERAP). Both companies were responsible for ensuring that pre-production systems were adequately tested to prevent data breaches, as mandated by their federal contracts. Despite allegedly knowing that testing tools were malfunctioning, Guidehouse and NMA launched the program in June 2021, resulting in personal data being exposed online within hours of the program going live.
Although neither Guidehouse nor NMA admitted fault, the DOJ argued that the contractors knowingly violated cybersecurity obligations under their contracts. The settlement illustrates the risks associated with cybersecurity and emphasizes that federal contractors must rigorously test systems before launch to avoid potential breaches.
Georgia Tech’s Ongoing FCA Litigation: A Case of Systematic Noncompliance
DOJ’s recent intervention in a case against Georgia Tech highlights the long-term risks of noncompliance. See United States ex rel. Craig v. Georgia Tech Research Corp, et al., No. 1:22-cv-02698 (N.D. Ga.). According to the government’s complaint, filed in August 2024, Georgia Tech allegedly violated federal cybersecurity requirements by falsely representing its adherence to the DFARS and NIST SP 800-171 controls in contracts with the DoD. The allegations assert that, despite knowing about the need to comply with federal cybersecurity mandates, the university failed to develop a comprehensive security plan for certain research labs and misled the DoD by reporting fictitious cybersecurity compliance scores.
The complaint, which remains pending, underscores DOJ’s focus on the intersection of federal funding and cybersecurity. Contractors working with DoD are warned that relaxed enforcement of internal cybersecurity policies can result in severe legal consequences, even when no actual data breach occurs.
Lessons for Federal Contractors
The recent settlements and ongoing cases signal a clear message: compliance with cybersecurity requirements is non-negotiable. Contractors must treat cybersecurity as an integral part of their operations, not as an afterthought. The DOJ’s enforcement actions also highlight several key points:
- Strict Adherence to Federal Regulations: Contractors must comply with cybersecurity frameworks, such as NIST SP 800-171, as mandated by DFARS clauses 252.204-7012 and 252.204-7019. Partial compliance or delays can result in liability under the FCA, even in the absence of a breach.
- Accurate Reporting: Misrepresenting compliance status—whether intentionally or through negligence—can constitute fraud under the FCA. As seen in the Penn State and Georgia Tech cases, allegedly inaccurate submissions to federal databases like SPRS expose contractors to significant legal risks.
- Responsiveness and Remediation Matter: Contractors that quickly respond to breaches and cooperate with investigations may receive favorable treatment from DOJ, as demonstrated by the AFDS case. Prompt action, however, does not absolve contractors of liability for prior non-compliance.
- Testing and Pre-Launch Assessments are Critical: The Guidehouse and NMA case highlights the importance of rigorous cybersecurity testing before launching any system that handles personal data. Contractors must ensure compliance at every stage of the contract to avoid exposure under the FCA.
Conclusion
The DOJ’s recent wave of settlements and interventions serves as a reminder that contractors working with federal agencies must treat cybersecurity as a core obligation. The Civil Cyber-Fraud Initiative will continue to scrutinize contractors for both compliance failures and misrepresentations, making it essential for organizations to adopt proactive compliance strategies. Contractors must not only meet technical requirements but also ensure accurate reporting.