Defence Majors, Startups, And Private Equity Funders Looking To The US Defence Market: Mind The Risk Of False Claims Act And Cybersecurity Liability

Failure by a defence contractor, large or small, to comply with the detailed requirements provided in US government contracts can result in more than just a contract dispute. Instead, whistleblowers and the US Department of Justice can bring False Claims Act claims for triple damages and civil penalties for technical failures to comply. It is therefore critical that defence contractors and their investors (who can also be held directly liable) are fully educated about their obligations when doing business with the US government or a contractor for the government in order to prevent problems early and minimize exposure when litigation occurs. 

For UK, EU, and Australian defence contractors, and particularly technology businesses, selling to the US Department of Defense (DOD) and its contractors presents a growth opportunity. While the US has many longstanding restrictions on the purchase of defence materiel and services from non-US businesses or produced outside of the US, those rules have exceptions, including agreements with allied countries that facilitate the purchase of defence products and services. As a result, the DOD alone purchases over $10 billion in products and services from non-US businesses every year, in addition to purchases from US divisions of non-US businesses and by US-based prime contractors from non-US vendors and subcontractors. 

The opportunities in the US defence market are significant for both the long-standing major defence contractors and newer defence tech startups. But selling to the US government and its prime contractors (or their subcontractors) comes with legal risks well beyond those of a normal commercial contract. US defence contracts and many subcontracts incorporate tomes of regulations and default terms, many of which are esoteric and may seem irrelevant to the day-to-day commercial performance of the contract. However, failure to comply with these requirements, which are often simultaneously hyper-detailed and yet still ambiguous, can result not only in breach of contract litigation with the US government in US courts, but also liability for treble (triple) damages and penalties under the False Claims Act (FCA), a procurement fraud statute. 

This risk has manifested most recently in a series of cases this year where the US Department of Justice (DOJ), aided by whistleblowers, obtained multimillion dollar settlements from defence contractors, both large and small, as well as in one case a contractor's private equity investor, for alleged failures to comply with the technical cybersecurity requirements incorporated into their US defence contracts. In these cases, there was no allegation of an actual cyberattack or data breach, but instead technical and procedural compliance shortcomings, but the liability, potentially bet-the-company risks, and publicly disclosed settlement agreements were no less real. 

The US False Claims Act

The FCA is a federal law originally intended to combat procurement fraud. It allows the US government to seek civil penalties and treble damages against individuals and businesses that knowingly submit, or cause to be submitted, materially false or misleading claims for payment to the US government or its funding recipients. Although the FCA is nominally an anti-fraud statute, in practice, DOJ regularly pursues FCA claims against contractors for what otherwise should be a mere breach of contract claim. 

In some cases, DOJ brings the case directly based on the reports from the contracting officials or auditors at DOD. However, the FCA also allows whistleblowers, called “relators,” to bring FCA cases directly in federal court against the contractor on behalf of the US government, in what's called a qui tam action, or an action brought “in the name of the king.” Whistleblowers initially file the action under seal and without serving it on the contractor defendant, and DOJ investigates the claim with powers equivalent to a grand jury. 

If DOJ decides the case has merit, it may intervene and take over litigation of the case, which is then unsealed and litigated like a civil action. If DOJ prevails in court or the case settles, the whistleblower receives a share. If DOJ declines to intervene, then the whistleblower has the option to continue the litigation on his own, in exchange for a larger share of any award or settlement. FCA cases brought by whistleblowers make up the bulk of FCA cases filed and litigated, often at great expense to contractors, but only result in a tiny fraction of recoveries under the FCA.

Cybersecurity compliance failures lead to FCA liability

US government contracts with DOD and other agencies incorporate a number of technical cybersecurity requirements and have done so for years. DOJ has long threatened to pursue FCA liability for cybersecurity compliance failures, including since at least the Biden administration, but the cases and settlements have been few and far between. Now, however, efforts to enforce cybersecurity rules through FCA liability, with its significant financial consequences, have picked up momentum with a series of settlements this year.

DOJ declared its intent to use the FCA for cybersecurity compliance in October 2021, while launching its Civil Cyber-Fraud Initiative. In that initiative, DOJ lawyers were directed to use the FCA to pursue cybersecurity compliance failures by government contractors and grant recipients as fraud.¹ DOJ contemplated using the FCA to penalize contractors that deployed deficient cybersecurity services, misrepresented security controls, or failed to report breaches as required under federal contracts and incorporated regulations. Even before this year, the DOJ announced several settlements under this initiative.²

DOD's Office of Inspector General (OIG) has also been attuned to cybersecurity compliance. In January 2025, OIG issued an audit criticizing DOD's process for approving third-party vendors that perform Cybersecurity Maturity Model Certification (CMMC) assessments.³ The purpose of these CMMC assessments is to promote basic cyber hygiene to maintain security for Controlled Unclassified Information and Federal Contract Information. The audit found that DOD did not fully implement required internal controls over the CMMC certifier program, raising concerns about the qualification of certifying bodies and whether noncompliant contractors had been certified.

With these precursors, it is perhaps no surprise that the defence sector has seen a number of FCA settlements this year related to cybersecurity.

First, in February, the DOJ announced an $11.25 million settlement with Health Net Federal Services, LLC, which is a managed care provider for the military health plan TRICARE, and its parent company, Centene.⁴  Health Net had agreed in its contract to provide IT services “as needed to accomplish the stated functional and operational requirements” of the program, and to adhere to privacy and cybersecurity regulations. It also submitted annual reports certifying its compliance with certain cybersecurity controls. DOJ alleged, among other things, that Health Net failed to perform timely scans for known vulnerabilities in its systems and ignored reports from security auditors about several compliance failures, including utilizing improper access controls, incorrect software configurations, software and hardware at its end of life, poor patch management practices, and problematic password policies. The government took the position that these violations rendered the claims for payment false, “regardless of whether there was any exfiltration or loss of servicemember data or protected health information.”⁵

Then, in March, MORSECORP, Inc., a software developer with contracts to build AI tools for DOD, agreed to pay $4.6 million to settle allegations that it failed to comply with cybersecurity obligations in its defence contracts.⁶ The settlement arose from a qui tam complaint filed by Morse's head of security, who alleged that the company failed to satisfy requirements DOD imposes on all contractors to provide adequate security on all covered contractor information systems, and to satisfy the Federal Risk and Authorization Management Program (FedRAMP) cloud provider baseline for security requirements. According to the whistleblower, from 2018 to 2022, the company used noncompliant third-party email hosting, lacked a consolidated written security plan, failed to implement required controls, and did not timely update its Supplier Performance Risk System after a third-party assessment lowered its score.⁷

And in May, Raytheon Companies and Nightwing Group settled with the DOJ for $8.4 million to resolve allegations that they failed to implement required cybersecurity protections on an internal development system used in unclassified work under DOD contracts.⁸ That settlement resulted from a qui tam action filed by a former Raytheon director of engineering, which alleged that Raytheon used its noncompliant internal system to develop and store covered defence information and federal contract data for 29 contracts. And that whistleblower received $1.5 million of the settlement funds.

Next, in late July, defence contractor Aero Turbine, Inc. and its former private equity investor Gallant Capital Partners, LLC agreed to pay $1.75 million to resolve FCA claims arising from cybersecurity compliance issues.⁹ According to the settlement agreement, Aero Turbine failed to implement cybersecurity controls over the access to technical data, assuming incorrectly that its export controls procedures were sufficient to prevent exfiltration of defence information. As a result, when Aero Turbine and Gallant engaged an Egyptian vendor to work on internal software containing defence information, that vendor received unauthorized access to the defence information. Aero Turbine and Gallant received cooperation credit from DOJ for self-disclosing these issues and cooperating in the investigation, and only paid 1.5x the government's alleged injury, less than the typical 2x multiple settling defendants typically pay.

Finally, again in late July, Illumina, a manufacturer of genomic sequencing devices, settled an FCA action brought by a former senior employee alleging that sequencing devices it sold to the government included software with cybersecurity vulnerabilities.¹⁰ According to the government, Illumina failed to consider cybersecurity in its software development processes and did not properly support its development staff in implementing cybersecurity measures, and as a result it falsely certified that it complied with various national and international standards for cybersecurity. Even though there were no allegations of an actual cybersecurity incident, Illumina agreed to pay $9.8 million to settle the case, more than double the alleged damages. 

These cases make clear that the DOJ – armed with information supplied by knowledgeable whistleblowers up to and including the very people responsible for cybersecurity – is willing to aggressively pursue technical failures in cybersecurity, even if there is no evidence of a breach. Moreover over, these cases also show that even common practices, like relying on third-party cloud service providers, are risky if contractors fail to exercise best practices in ensuring their vendors' compliance with federal standards. Traditional large defence contractors and defence-tech startups alike face real exposure, and need to take steps to ensure that compliance, legal, and technical departments are all attuned to the existence of these cybersecurity regulations and the serious implications for failure to comply.

Footnotes

1. U.S. Dep't of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

2. See, e.g., U.S. Dep't of Justice, Medical Services Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan (Mar. 8, 2022), https://www.justice.gov/archives/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical; U.S. Dep't of Justice, Cooperating Federal Contractor Resolves Liability for Alleged False Claims Caused by Failure to Fully Implement Cybersecurity Controls (Sept. 5, 2023), https://www.justice.gov/archives/opa/pr/cooperating-federal-contractor-resolves-liability-alleged-false-claims-caused-failure-fully; U.S. Dep't of Justice, United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations (Aug. 22, 2024), https://www.justice.gov/archives/opa/pr/united-states-files-suit-against-georgia-institute-technology-and-georgia-tech-research; U.S. Dep't of Justice, Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract (June 17, 2024), https://www.justice.gov/archives/opa/pr/consulting-companies-pay-113m-failing-comply-cybersecurity-requirements-federally-funded.

3. U.S. Dep't of Defense Office of Inspector General, Audit of the DoD's Process for Authorizing Third Party Organizations to Perform Cybersecurity Maturity Model Certification 2.0 Assessments (Report No. DODIG-2025-056) (Jan. 14, 2025), https://www.DODig.mil/In-the-Spotlight/Article/4028197/press-release-audit-of-the-DODs-process-for-authorizing-third-party-organizatio/.

4. Settlement Agreement (Feb. 2025), https://www.justice.gov/usao-edca/media/1389341/dl.

5. Id. at 3.

6. U.S. Dep't of Justice, Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations (Mar. 26, 2025), https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud.

7. Settlement Agreement (Mar. 2025), https://www.justice.gov/usao-ma/media/1394436/dl?inline.

8. U.S. Dep't of Justice, Raytheon Companies and Nightwing Group to Pay $8.4M to Resolve False Claims Act Allegations Relating to Non-Compliance with Cybersecurity Requirements in Federal Contracts (May 1, 2025), https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating.

9. U.S. Dep't of Justice, California Defense Contractor and Private Equity Firm Agree to Pay $1.75M to Resolve False Claims Act Liability Relating to Voluntary Self-Disclosure of Cybersecurity Violations (July 31, 2025), https://www.justice.gov/opa/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false-claims; Settlement Agreement (July 2025), https://www.justice.gov/opa/media/1409651/dl.

10. U.S. Dep't of Justice, Illumina Inc. to Pay $9.8M to Resolve False Claims Act Allegations Arising from Cybersecurity Vulnerabilities in Genomic Sequencing Systems (July 31, 2025), https://www.justice.gov/opa/pr/illumina-inc-pay-98m-resolve-false-claims-act-allegations-arising-cybersecurity; Settlement Agreement (July 2025), https://www.justice.gov/opa/media/1409561/dl

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.