False Claims Act and the Cybersecurity Compliance Trap

Eric Marquette

Welcome back to CMMC Unlocked! I’m Eric Marquette, and I’m here with Paul Netopski and Roz the Rulemaker. Today, we’re breaking down a subject that’s got a lot of folks in the defense world extra jittery: the False Claims Act and what the Civil Cyber-Fraud Initiative actually means for anyone working federal contracts with those NIST SP 800-171 clauses. Paul—let’s start with the basics. Can you walk us through what the False Claims Act actually is?

Paul Netopski

Absolutely, Eric. So, the False Claims Act—codified at 31 U.S.C. 3729—has some really powerful language. Any person who knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval, or knowingly makes or uses a false record tied to those claims, that’s a direct violation. The kicker is the 'knowingly' part. That doesn’t just mean actual knowledge; it covers reckless disregard or deliberate ignorance. No specific intent to defraud is required. And if you cross that line, you could be looking at civil penalties between $5,000 and $10,000 per claim—adjusted up for inflation these days—plus treble damages. That means three times the government’s losses. Plus, you’re on the hook for government legal costs.

Roz the Rulemaker

Right, and building on that, what’s interesting is that section (b) defines things like “claim” broadly. It can be any demand for money or property tied to a contract where the government’s involved. These legal terms—“material,” “obligation,” “knowing”—they all have specific definitions in the Act. And those definitions are intentionally wide, so if you’re thinking a technicality will save you, you might want to think again.

Eric Marquette

Yeah, it’s the kind of statute that’ll keep a compliance officer up at night. Now, Roz, I know the DOJ made major waves in 2021 announcing the Civil Cyber-Fraud Initiative. What’s the big picture there?

Roz the Rulemaker

So, in October 2021, the DOJ—specifically Deputy Attorney General Lisa Monaco—really changed the game with the Civil Cyber-Fraud Initiative. The focus shifted to holding contractors and grantees accountable when they knowingly misrepresent their cybersecurity practices or fail to follow required controls on federal contracts. The idea was to use the False Claims Act as a tool for improving cybersecurity, especially where federal information is at risk. This wasn’t just a policy memo; it signaled the government wanted tangible accountability for cyber lapses, not just after a breach, but for false attestations and non-compliance that could let a breach happen.

Paul Netopski

I remember that roll out very well. Honestly, the anxiety across the defense industry was palpable. Prime contractors suddenly started reevaluating everything—internal controls, assessment reporting, the works. I talked to more than one cyber lead who was worried they might need to disclose past mistakes, just to preempt something worse down the line. Folks realized, maybe for the first time, that compliance documentation wasn’t just a box-checking exercise. There was real dollar risk now, plus reputational risk. With that initiative, the DOJ basically sent a shot across the bow—if you’re making claims about your cybersecurity posture, or submitting those SPRS scores, you’d better have the evidence to back it up, because the penalties are real if you don’t.

Eric Marquette

Yeah, and I think what you’re both saying really sets the stage—so, we’ve got serious legal and financial exposure if someone flouts those NIST or DFARS requirements, even if it’s just because they didn’t do the due diligence. And now, with this cyber emphasis layered on, there’s even less room for wishful thinking or fuzzy documentation. Let’s get into what this looks like when the government actually pursues a case.

Eric Marquette

So, let’s talk about what cyber-fraud under the False Claims Act looks like in practice. Paul, you want to start with the Penn State case?

Paul Netopski

Sure, the Penn State settlement is a great example. Between 2018 and 2023, Penn State had fifteen DoD or NASA contracts. The allegations were pretty striking: first, they failed to implement required cybersecurity controls for CUI. Second, they submitted scores—those cybersecurity assessment reports—that didn’t accurately reflect their status or compliance plans. And third, they used a cloud provider that didn’t meet DoD security standards. Result? They settled with the DOJ for $1.25 million. And—this is important—the whistleblower in that case was the former CISO at the Penn State Applied Research Lab. He got a $250,000 share of the settlement, about twenty percent, so the qui tam provision was in full effect.

Roz the Rulemaker

From a policy perspective, settlements like this say a couple of things. First, the government is absolutely willing to pursue not just fraud, but what some organizations might have considered “minor” procedural or documentation lapses—like inaccurate self-reported assessment timelines. Second, these actions are about protecting CUI in real, practical ways. Not deploying required NIST 800-171 controls, or misrepresenting your score in SPRS, triggers a basic breach of DFARS 252.204-7012, which explicitly requires contractors to provide “adequate security.” If you say you’re compliant and you’re not, you’re misrepresenting material facts to the government—exactly what the FCA is meant to address.

Paul Netopski

And let’s not forget the Comprehensive Health Services case—the CHS settlement was $930,000, and it was the DOJ’s first civil cyber-fraud enforcement after that initiative was announced. The core problem: CHS said it was meeting contract requirements for secure storage of sensitive medical records—PHI and PII—for U.S. officials under State Department and Air Force contracts. But in reality, patient information sometimes ended up outside the required systems, unprotected. Plus, there were broader issues, like supplying unapproved controlled substances, but on the cybersecurity side, the government’s main focus was on those inaccurate statements around cybersecurity controls and the proper handling of sensitive data.

Roz the Rulemaker

I think what’s worth emphasizing is that the DOJ didn’t need to rely on a data breach to take action. It was enough that contractual requirements—like protecting EMR systems or reporting true compliance status—weren’t met. These cases signal a kind of strict liability, or at least “reckless disregard” standard, especially when dealing with NIST 800-171 controls and DFARS 252.204-7012 provisions. If you’re out of compliance, the risk isn’t just getting flagged in an audit. It’s real monetary penalties, and you might have to explain your cybersecurity actions to a federal judge.

Eric Marquette

And to Roz’s point, this goes way beyond theory. Even what feels like a paperwork or reporting mistake—if those mistakes are material, they’re actionable under the FCA. These settlements create a real deterrent to fudging cyber compliance, which, honestly, is probably overdue. And if you’re thinking, “those are big organizations, it’ll never happen to our small shop”—I’d just say, don’t count on it. The enforcement bar is lower than a lot of contractors like to admit. Okay, let’s talk about who actually brings these cases and just how fast those penalties can stack up.

Paul Netopski

So, let’s dig into qui tam actions. These are lawsuits filed by private individuals—called relators—on the government’s behalf. If they help the government recover money, they typically get between 15 and 25 percent of the settlement. In the Penn State scenario, the former CISO—acting as relator—walked away with $250,000. And in the CHS case, the whistleblowers got a $172,050 share. So there’s a real, personal incentive for insiders to flag cyber-fraud, even if that means blowing the whistle on their own employer.

Roz the Rulemaker

And the structure of these penalties—the math’s pretty unforgiving. If you have, let’s say, repeated invoices or self-attestations to the government while not being truly compliant, every one could trigger a separate fine. Statutory fines start at $5,000 and can go above $10,000 for each claim, and that’s before you even factor in treble damages. Then you add the government’s legal costs to the final bill. That means a few missed compliance documents or misreported assessments can trigger liability that quickly spirals into the millions.

Paul Netopski

Yeah, and just to clarify, the government doesn’t have to show you intentionally set out to commit fraud. Deliberate ignorance or just reckless disregard for the truth is enough. So, even if somebody on your compliance team shrugs off a new control requirement or signs a document without proper review, that exposure is very real.

Roz the Rulemaker

And from the rulemaking side, I’ve seen so many instances—sometimes what looks like a simple paperwork error or a procedural misstep can end up at the heart of one of these cases. Maybe an organization fails to document their compliance work, or they misreport a timeline for a control implementation. Suddenly, what was a nuisance for compliance now carries multi-million dollar FCA exposure. That shift—from administrative headache to existential business risk—is something no contractor can afford to ignore anymore.

Eric Marquette

That’s such a good point. I mean, I feel like whether you’re in compliance, IT, or the C-suite, the risk equation here has changed. Documentation, transparency, real evidence—they’re not optional. And if an organization’s tempted to cut corners or fudge a control for expedience, the past few years of enforcement should serve as a wake-up call.

Paul Netopski

Exactly. And if we think back to our previous episodes, how many times did we stress the importance of audit trails and documentation? This is the real-world consequence. The False Claims Act isn’t just another line in the contract—you have to be ready to back up every claim you make, period.

Roz the Rulemaker

And it’s only likely to get stricter as the cyber compliance landscape keeps evolving. Organizations need to bake compliance into their day-to-day operations—not just treat it as a one-off project for an audit. It’s the only way to keep out of the FCA crosshairs.

Eric Marquette

I think that wraps us up for this episode. This stuff is complex, but the bottom line is clear: cyber compliance under the False Claims Act has real teeth now. Thanks, Paul, thanks, Roz, and thanks to all our listeners for staying engaged on these evolving risks. We’ll be back in the next episode to go even deeper—so stay vigilant, keep your documentation tight, and as always, stay safe out there. Paul, Roz—great talking with you both!

Paul Netopski

Always a pleasure, Eric, Roz. Take care everyone—don’t let your guard down, compliance is a moving target.

Roz the Rulemaker

Thanks, Eric, Paul. Looking forward to next time. Bye, all!