The U.S. Department of Justice (DOJ) announced its most recent settlement under the Civil Cyber-Fraud Initiative on December 5, 2025 for about $420,000. This is yet another settlement stemming from a defense contractor's alleged failure to adequately implement cybersecurity controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
More specifically, the Settlement Agreement alleges that Swiss Automation, a precision machining manufacturer, failed to provide adequate cybersecurity for technical drawings of certain parts it supplied to government contractor customers under nine purchase orders covered by Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. DFARS 252.204-7012 requires that a contractor's information system that contains controlled unclassified information implement the cybersecurity controls in NIST SP 800-171. The Settlement Agreement does not reference any particular cybersecurity controls that allegedly were not implemented and instead summarily alleges that Swiss Automation's knowing failure to provide adequate cybersecurity controls caused the submission of false claims for payment.
A former quality-control manager filed the case and will receive $65,000 or approximately 15% of the settlement amount as his relator's share.
As Qui Notes readers know, DOJ has settled several cases this year related to implementation of the NIST SP controls. Indeed, we have covered earlier settlements related to NIST SP controls across industries — including defense, private equity, and education. We will continue to monitor the latest cybersecurity settlements, including those related to failures to adequately implement the NIST standards. You can also keep track of all cyber-related FCA resolutions using Qui Notes' Cyber FCA Tracker.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
