DOJ Expands Civil Cyber-Fraud Efforts as Contractor Scrutiny Grows

As part of its expanding civil cyber-fraud enforcement efforts, the Department of Justice (DOJ) is increasing scrutiny of federal contractors over cybersecurity compliance. The DOJ’s actions signal heightened contractor scrutiny, with investigations and settlements accelerating as the government targets cyber-related fraud that threatens federal systems and sensitive data.

The Civil Cyber-Fraud Initiative: Expansion of the Enforcement Territory

The Civil Cyber-Fraud Initiative is a program that started operating in 2021 and gives the Department of Justice the power to sue under the False Claims Act those who falsify their compliance with cybersecurity or fail to fulfill the contractual requirements of cybersecurity. The Department of Justice has resolved 15 cases and is in the process of many more investigations, which have not been disclosed yet. These actions of the enforcement officials constitute a very loud and clear signal: The security of information is at the very heart of the federal government's concern, especially when it comes to the constantly changing cyber threats that are putting national security at risk.

Recent Key DOJ Cyber-Fraud Settlements

1. Hill Associates — July 2025

The first settlement in the row was that of Hill Associates, which was to pay a minimum of $14.75 million. Hill Associates was providing IT services to the General Services Administration (GSA). The Department of Justice (DOJ) alleges that Hill Associates, even though it did not succeed in passing the required technical evaluations for offering advanced cybersecurity services, submitted claims to the government for these services. Hence, it violated the False Claims Act. This lawsuit is a good example of the emphasis on the DOJ ensuring that contractors beheld capabilities in cybersecurity the way they claim.

2. Illumina Inc. — July 2025

Unusual in many respects, Illumina resolved its case for $9.8 million, while disputing the charge, which concerned cybersecurity vulnerabilities in genomic sequencing systems sold to federal agencies, including Health and Human Services, Homeland Security, and Agriculture. The accusations made by the DOJ against Illumina were as follows:

• Illumina falsely claimed that it complies with cybersecurity standards set by ISO and NIST.
• Illumina failed to integrate security measures in product design and development phases.
• Illumina did not provide adequate support for security personnel and security processes.
• Illumina continued to use systems with existing vulnerabilities.

This lawsuit emphasizes the need for cybersecurity regulations when it comes to health and biomedical technologies used in federal programs.

3. Aero Turbine Inc. and Gallant Capital Partners, LLC — September 2025

Aero consented to a $1.75 million settlement after it was charged with not following the cybersecurity rules laid down in its contract with the Department of the Air Force. The criminal complaint claimed that the company had only halfway implemented NIST SP 800-171 standards, which are fundamental to the security of controlled unclassified information. The case was about the improper handling of confidential defense information and the unauthorized access that was facilitated by a software provider in Egypt.

4. Georgia Tech Research Corporation (GTRC) — September 2025

In the latest settlement, GTRC consented to a payment of $875,000 after being accused of not adhering to cybersecurity standards while performing the sensitive research for the Department of Defense. The Department of Justice (DOJ) alleged that Georgia Tech Research Corporation (GTRC):

• Omitted the installation or updating of antivirus or anti-malware tools on machines used for defense research.
• Had no formal security plan for its cybersecurity system.
• Provided a fraudulent cybersecurity assessment score based on a fabricated scenario and thus misled the DoD about its cybersecurity readiness.

Importance and the Days to Come

That these prosecutorial actions took place at such a moment is of great significance, considering that the Department of Defense's final rule, effective November 10, 2025, will require the implementation of the Cybersecurity Maturity Model Certification (CMMC). As per the rule, contractors are required to fulfil specific cybersecurity standards in order to be granted federal contracts, thus showing how determined the federal government is to enhance cybersecurity in the supply chain.

It is a clear indication from the DOJ that they are not kidding about their threat to take action against those who do not observe cybersecurity standards. They are no longer simply inviting these contractors to voluntarily follow them but rather ordering them to legally comply. It would be in the best interest of contractors to thoroughly examine their cybersecurity conditions and put them in check even before the arrival of an inspection or enforcement action because the number of such events will increase massively if no action is taken.

The recent settlements by the Department of Justice illustrate its resolve to fight against fraudulent activities in the field of cybersecurity committed by federal contractors. With new and more demanding standards such as the CMMC in the offing, government contractors should pay more attention to the compliance of cybersecurity as a means of lessening the risks of being targeted by the law and, at the same time, protect the interests of national security. As the investigations progress, the message tends to become clearer: the integrity of cybersecurity is a prerequisite for obtaining trust and being accountable in federal contracting.