Table of Contents
DOJ recovered $52M in False Claims Act for cyber settlements, signaling tougher enforcement over contractor cybersecurity representations.
For years, many government contractors treated cybersecurity compliance as a technical checklist, important, certainly, but often siloed within IT departments. That mindset is no longer tenable. The U.S. Department of Justice (DOJ) has announced that cybersecurity representations to the federal government are now squarely within the enforcement core of the False Claims Act (FCA). What began in October 2021 as the Civil Cyber-Fraud Initiative has matured into a sustained and expanding enforcement priority.
The numbers alone signal that this is not a passing trend. In January 2026, the DOJ announced that it recovered $52 million through nine cybersecurity-related FCA settlements in the fiscal year ending September 2025. Those recoveries formed part of a record-setting $6.8 billion in total False Claims Act recoveries that year.
Even more striking, DOJ reported that cybersecurity fraud resolutions have more than tripled in each of the past two years, evidence of what Deputy Assistant Attorney General Brenna Jenny described as a “significant upward trajectory.”
The False Claims Act: From Initiative to Institutional Priority
When the DOJ launched the Civil Cyber-Fraud Initiative in October 2021, it stated that it would use the FCA, complete with treble damages and statutory penalties, to pursue entities that knowingly submit false claims tied to cybersecurity obligations. The misconduct categories were specific and practical:
- Delivering deficient cybersecurity products or services
- Misrepresenting cybersecurity practices or protocols
- Failing to monitor and report cybersecurity incidents as required
At the time, some viewed the initiative as an experiment. That view is no longer credible. Since October 2021, the DOJ has settled fifteen civil cyber-fraud cases under the FCA. More than half of those settlements were announced during the current administration, surpassing the total from the earlier years following the initiative’s launch. Civil cyber-fraud enforcement is now part of the DOJ’s routine FCA portfolio, not an edge case.
In remarks delivered on January 28, 2026, at the American Conference Institute’s Advanced Forum on False Claims and Qui Tam Enforcement, Jenny reaffirmed the administration’s commitment to this path. As the political official overseeing nationwide False Claims Act enforcement, she emphasized both the scale of recent recoveries and the continuing focus on cybersecurity.
Misrepresentation, Not Mere Breach
One of the most important clarifications in Jenny’s remarks addressed a persistent misconception: FCA cybersecurity cases are “not about data breaches,” but are instead “premised on misrepresentations.” That distinction matters.
Breaches occur even in well-managed environments. The DOJ has signaled that it is not interested in punishing companies simply because they were victims of sophisticated attacks. Instead, the FCA becomes relevant when an organization tells the government it complies with cybersecurity requirements and, in reality, does not.
Under the False Claims Act, liability turns on knowingly false or misleading claims for payment. In the cybersecurity context, this can include explicit certifications of compliance or even implied representations embedded in invoices and contract submissions. If a contractor seeks payment while failing to meet required cybersecurity standards, the DOJ may argue that the claim itself carries an implied assertion of compliance.
That theory has teeth, particularly when paired with the FCA’s treble damages framework.
Defense, Civilian Agencies, and Expanding Standards
The majority of DOJ’s cybersecurity-related FCA settlements, nine out of fifteen, have involved U.S. Department of Defense (DoD) cybersecurity requirements. The DoD recently finalized the Cybersecurity Maturity Model Certification (CMMC), introducing structured and, for many contractors, third-party verification requirements. These developments create more objective benchmarks against which representations can be tested.
Civilian agencies are moving in the same direction. In January 2026, the General Services Administration issued a procedural guide governing the protection of Controlled Unclassified Information (CUI) on nonfederal contractor systems. Like the CMMC framework, it contemplates extensive third-party assessments. Across the executive branch, scrutiny of contractor cybersecurity programs is intensifying.
As federal dollars increasingly flow with cybersecurity conditions attached, across defense contractors, IT service providers, healthcare benefit administrators, research universities, and even entities adjacent to prime contractors, the FCA provides the DOJ with a powerful lever to enforce those conditions.
Whistleblowers as Catalysts
No discussion of the False Claims Act is complete without acknowledging the central role of whistleblowers. Qui tam provisions allow private individuals to bring FCA claims on behalf of the government and potentially receive up to thirty percent of any recovery. Defendants are also responsible for the whistleblower’s attorneys’ fees.
Jenny noted that whistleblowers have continued to play a large role in cyber-fraud cases. That should not surprise anyone familiar with FCA enforcement. Cybersecurity compliance failures often surface internally before they become public. When employees believe their concerns are ignored, or worse, concealed, the FCA offers a direct channel to the DOJ.
Organizations that treat internal cybersecurity complaints as routine HR matters underestimate the risk. A credible internal reporting system, thorough investigation processes, and transparent remediation efforts are not just governance best practices; they are FCA risk mitigation tools.
In some circumstances, companies may need to evaluate disclosure obligations to the government, whether mandatory or voluntary. DOJ policies have increasingly emphasized cooperation credit in the cybersecurity arena, making early, good-faith engagement a strategic consideration.
Governance Is Now a Legal Issue
The DOJ’s approach refrains from considering cybersecurity as more than a technical discipline. It is a representation issue, a contract performance issue, and ultimately an FCA issue. That reality demands cross-functional alignment.
Organizations doing business with the federal government should ensure:
- Clearly defined roles and accountability for cybersecurity compliance.
- A comprehensive understanding of contractual and regulatory obligations.
- Coordinated reporting and escalation channels for cybersecurity concerns.
- Ongoing assessments of cybersecurity posture, including documented gap analyses and remediation plans supported by qualified experts.
These elements are not aspirational. They form the evidentiary record that may determine whether a dispute becomes an expensive False Claims Act investigation.
The New Baseline
The DOJ’s $6.8 billion in fiscal year 2025 False Claims Act recoveries, including $52 million from cybersecurity settlements, mark a new shift. Cybersecurity is now central to DOJ FCA enforcement, not a secondary issue.
For contractors and grant recipients, accuracy in cybersecurity representations is critical. Under the False Claims Act, what an organization tells the government about its security posture must align with reality. Gaps between certification and practice can quickly escalate into costly investigations.
Strengthening visibility across attack surfaces, monitoring emerging threats, and validating controls are essential steps in reducing FCA risk. Platforms like Cyble, recognized in Gartner Peer Insights for Threat Intelligence, help organizations maintain continuous intelligence, detect exposures early, and support defensible cybersecurity governance.
Book a free demo with Cyble to see how AI-powered threat intelligence can help your organization stay ahead of risk and confidently support its cybersecurity commitments.