The Justice Department’s push to encourage whistleblowers to raise cybersecurity fraud claims against US contractors has produced settlements that provide a window into alleged lapses, vulnerabilities, and shortcomings amongst governmental partners of all stripes.
Georgia Institute of Technology last month became the latest federal funds recipient to resolve a False Claims Act suit alleging inadequate performance of cybersecurity services in federal contracts. DOJ has announced at least seven settlements in 2025, worth about $51 million.
These announcements come a few years into the DOJ’s civil cyber fraud initiative to hold accountable contractors that put federal systems and the government’s information at risk from inadequate cybersecurity.
When whistleblowers come forward, they have a lot to say about why contractors may be falling short in their obligations, attorneys say, such as a lack of cybersecurity sophistication, unwillingness to spend money, failing to communicate, and prioritizing private businesses over government customers.
Cybersecurity knowledge isn’t standard for all government contractors, said Stephanie Siegmann of Hinckley Allen. Compliance is expensive, she said, and businesses “often do not want to spend money on cybersecurity until after they have suffered a cyberattack.”
‘Head in the Sand’
One cybersecurity compliance issue, according to Joe Swanson of Foley & Lardner LLP, is that many contractors “siloed” their compliance and information security functions. Members of those teams “do not speak each other’s language,” he said.
If an information security team member expresses a concern about compliance, for example, the compliance team needs to hear about it so the company can investigate and address the problem, he said. “If those complaints go un-addressed, they may lead to whistleblower complaints.”
A gap in abilities between large and small contractors may also explain fraud suit vulnerabilities, Siegmann said. Large prime contractors have the staff and resources to comply with regulations, like NIST 800-171, she said, while smaller companies don’t.
Renée Brooker, who represents whistleblowers with Tycko & Zavareei LLP, said she’s heard that companies have a “head in the sand” problem with regard to cybersecurity incidents.
Some companies that lack cybersecurity compliance standards to protect information are knowingly falling short, because they don’t want to spend the resources needed to follow through on their written policies, she said.
“That is often because it’s the government’s data that they are compromising, which is not a concern of theirs,” Brooker said.
She also said a “recurring theme” is that these same companies do implement NIST standards for commercial customers, but give “short shrift” to government agencies because the companies are more likely to lose commercial business if a breach occurs.
The government is a captive audience because it doesn’t have the expertise to protect its own data, or perform the contract at issue, she said. “That’s why the government retains and pays the big bucks to government contractors.”
Centene, Raytheon
The DOJ succeeded in publicizing the initiative to whistleblower attorneys, said Moriah Daugherty, who represents FCA defendants with Covington & Burling LLP.
Whistleblower attorneys are “on the speaking circuit, seeking publicity in order to attract would-be relators,” Daugherty said. They “have always been good at ‘following the money,’ and they apparently think that cyber cases may lead to a pot of gold,” she said.
“Whenever the government tells us what they want, those are the cases we are going to try to bring them,” said Jacklyn DeMar, President and CEO of The Anti-Fraud Coalition.
In addition to Georgia Tech, the DOJ announced in February an $11 million settlement to resolve allegations that
Neither Raytheon nor Nightwing immediately responded to a request for comment.
Aero Turbine and Gallant Capital Partners LLC, Illumina Inc., Hill ASC Inc., Morsecorp. Inc. agreed to FCA settlements this year as well.
In the Aero Turbine settlement, which involved allegations of lax cybersecurity under an Air Force engine maintenance contract, the DOJ said the companies made self-disclosures and cooperated with the government’s investigation, which entitled to them to credit. Gallant didn’t immediately responded to a request for comment. StandardAero, which acquired Aero Turbine, declined to comment.
Many settlements have been modest, said Christopher R. Kavanaugh, who represents FCA defendants with Cleary Gottlieb Steen & Hamilton LLP. “When companies see modest penalties imposed after a company voluntarily discloses, it places a thumb on the scale in favor of disclosing, which is precisely what DOJ is hoping will happen,” he said. Most companies go to great lengths to abide by their cybersecurity requirements, he added.
Social Media Push
The settlements come at a time when whistleblower law firms are getting on social media to attract cases.
Brooker, who helped represent the Illumina whistleblower, is featured in one of her law firm’s social media posts. It says the DOJ wants to hear from people working for contractors providing inadequate cybersecurity services or knowingly failing to disclose breaches.
An Illumina spokesperson said the company denied the allegations, but agreed to settle the matter “to avoid the uncertainty, expense, and distraction of litigation.”
Brooker said the settlement announcements help push contractors and the health-care industry toward more expedited compliance with cybersecurity requirements.
She also said her firm has received “over a hundred reports from whistleblowers” regarding cybersecurity failures since 2021.
Whistleblower firm Constantine Cannon LLP has also sent out the clarion call on social media. The firm is “calling on cybersecurity whistleblowers to raise the alarm if you know of any cyber cracks in the system,” a post said.
The firm “has had cybersecurity whistleblowers reaching out to us on a weekly basis, more than ever before,” said Gordon Schnell, an attorney based in Constantine Cannon’s New York City office.
To contact the reporter on this story:
To contact the editors responsible for this story: