Million-Dollar Fines for Cybersecurity Lapses: What Government Contractors Need to Know

The Department of Justice (DOJ) is sending a clear message to federal contractors: cybersecurity compliance is not optional. Through its Civil Cyber-Fraud Initiative, the DOJ is aggressively pursuing contractors for failing to meet their contractual cybersecurity obligations, resulting in multi-million dollar settlements. This heightened enforcement landscape, coupled with the new Cybersecurity Maturity Model Certification (CMMC) requirements, means that government contractors must be more vigilant than ever in securing their systems and data.

A New Era of Enforcement: Recent DOJ Settlements

The DOJ has made it clear that it will use the False Claims Act to hold contractors accountable for cybersecurity failures. Here are some of the recent, significant settlements that every government contractor should be aware of:

Company	Settlement Amount	Allegations
Hill Associates	$14.75 million	Charged the government for highly adaptive cybersecurity services it was not qualified to provide.
Illumina Inc.	$9.8 million	Sold genomic sequencing systems with known cybersecurity vulnerabilities, falsely representing them as compliant with NIST and ISO standards.
Aero Turbine Inc.	$1.75 million	Failed to comply with NIST SP 800-171 and provided an unauthorized foreign company with access to sensitive defense information.
Georgia Tech Research Corporation	$875,000	Failed to use anti-virus/anti-malware tools, lacked a system security plan, and submitted a false cybersecurity assessment score to the DoD.

These cases demonstrate that the DOJ is not just focused on data breaches. The investigations and fines have been triggered by a range of issues, from misrepresenting cybersecurity capabilities to failing to implement basic security controls.

Key Takeaways for Federal Contractors

The recent enforcement actions offer several critical lessons for contractors:

A breach is not required for liability: The DOJ has explicitly stated that cyber fraud can exist even if a contractor has not experienced a cyber incident.
Whistleblowers are a driving force: Several of these investigations were initiated by whistleblower complaints from former employees. This underscores the importance of having a strong internal compliance culture.
Documentation and accuracy are paramount: The DOJ is scrutinizing contractors’ cybersecurity practices during product development, as well as the accuracy of their assessment scores and representations to the government.

Navigating CMMC Compliance with Capital Cyber

With the November 10 effective date of the new DFARS rule incorporating CMMC standards, the pressure on contractors to demonstrate compliance has never been greater. This is where Capital Cyber can help.

We specialize in helping government contractors navigate the complexities of CMMC and build a robust cybersecurity posture that can withstand DOJ scrutiny. Our services include:

CMMC Readiness Assessments: We identify gaps in your current cybersecurity practices and provide a clear roadmap to achieve compliance.
Policy and Procedure Development: We help you create the necessary documentation, including System Security Plans (SSPs), to meet CMMC requirements.
Security Control Implementation: We assist in implementing the technical controls required by CMMC, including ransomware protection, elevation control, and web filtering.
Compliance Tracking: We provide tools and expertise to continuously monitor your compliance status and ensure you are always prepared for an audit.
Employee Training: We offer cybersecurity awareness training to educate your employees on best practices and reduce the risk of human error.

Don’t wait for a DOJ investigation to take your cybersecurity obligations seriously. The financial and reputational risks are simply too high. Contact Capital Cyber today for a consultation and let us help you build a defensible cybersecurity program that protects your business and your government contracts.

References

Cybersecurity in focus: DOJ aggressively investigating contractors’ cybersecurity practices