The Defense Compliance Report — Research & Data
Cyber False Claims Act Settlements: The Complete DOJ Tracker (2021–2026)
Since the U.S. Department of Justice launched its Civil Cyber-Fraud Initiative on October 6, 2021, cyber False Claims Act settlements have reached at least 17 DOJ-announced resolutions, totaling at least $82,228,588through the LOGZONE settlement on June 18, 2026. We built this tracker by reading every Department of Justice release, one by one, and recording the amount, date, agency, allegation, and whistleblower share for each. It also settles a number that trips up almost every published roundup: the fiscal-year total and the calendar-year total are both right — they just count different cases.
The numbers at a glance
| Metric | Value | Notes |
|---|---|---|
| DOJ-announced cyber FCA settlements since Oct. 6, 2021 | 17 | Release-level count; the Guidehouse/Nan McKay matter is one release with two defendants. |
| Total announced settlement value | at least $82,228,588 | Sum of DOJ-announced amounts. Two matters carry “at least” or waiver components (Hill ASC; ASRC Federal). |
| Largest settlement | at least $14.75M — Hill ASC (Hill Associates) | GSA schedule / cybersecurity-services scope case, July 2025. |
| Largest defense-related settlement | $11.25M — Health Net Federal Services / Centene | TRICARE (Defense Health Agency), February 2025. |
| Largest explicit NIST/DFARS settlement | $8.4M — Raytheon / RTX / Nightwing | DFARS 252.204-7012 and FAR 52.204-21, May 2025. |
| Fiscal year 2025 (Oct 1, 2024 – Sep 30, 2025) | 9 settlements / $52,985,122 | Reconciles DOJ’s “over $52M in nine.” |
| Calendar year 2025 (Jan 1 – Dec 31, 2025) | 8 settlements / $51,849,634 | Matches the widely cited 2025 industry total. |
| Known DOJ-stated whistleblower shares | $9,838,291 | Summed only where DOJ stated a relator share. |
| Settlements alleging an actual breach or data exposure | 4 of 17 | The other 13 rested on misrepresentation alone. |
| First cyber FCA settlement ever | Cisco Systems, $8.6M () | Predates the Initiative; not counted in the 17 above. |
Add the pre-Initiative Cisco settlement and every publicly known cyber False Claims Act settlement from 2019 through mid-2026 comes to 18 matters totaling roughly $90.8 million.
How many cyber False Claims Act settlements has the DOJ announced?
The DOJ has publicly announced at least 17 cybersecurity-related civil False Claims Act settlements since it launched the Civil Cyber-Fraud Initiative on October 6, 2021, totaling at least $82,228,588 through June 18, 2026. The count depends on how you define a “settlement.” We use a release-level count: one entry per DOJ announcement. When DOJ announced Guidehouse and Nan McKay together in a single release, we treat that as one matter and record both defendant amounts inside it.
That definition matters, because different counting rules produce different totals, and this is where most published figures diverge. Count the two ERAP defendants separately and you get 18. Restrict the list to matters where DOJ leaned on the defense cybersecurity stack — NIST SP 800-171, DFARS, an SPRS score, or a DIBCAC assessment — and you get 7. Restrict it to the government’s own fiscal year and you get 9. We show all of these views below, with the exact cases in each, so you can apply whichever definition your own analysis requires.
A few definitions we’ll use throughout. A qui tamcase (Latin, roughly “on behalf of the king”) is a whistleblower lawsuit filed under the False Claims Act by a private party — the relator— on the government’s behalf; if it succeeds, the relator receives 15%–30% of the recovery. NIST SP 800-171 Rev. 2 is the National Institute of Standards and Technology publication behind the 110-point DoD assessment score that contractors post in the Supplier Performance Risk System (SPRS). The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the DoD body that conducts higher-confidence assessments of that score. These terms show up in nearly every defense-related settlement below.
The complete cyber False Claims Act settlement tracker
Below is every DOJ-announced cyber False Claims Act settlement from the first one in 2019 through June 2026, with the defendant, date, agency, allegation, amount, and whistleblower share. Each row links to the primary Department of Justice source. Amounts are the settlement figures DOJ announced; where DOJ said “at least,” we use that as a floor.
| Date | Defendant | Agency / program | Core allegation | Amount | Qui tam / relator share | Source |
|---|---|---|---|---|---|---|
| Cisco Systems, Inc. (pre-Initiative; first ever) | DHS, Secret Service, FEMA, U.S. military + states | Sold Video Surveillance Manager software with known vulnerabilities enabling network/camera compromise | $8,600,000 | Yes — James Glenn (~20%, ~$1.75M) | NY AG | |
| Comprehensive Health Services LLC (first under the Initiative) | State Dept. & Air Force (overseas medical) | Falsely represented it stored patient medical records on a secure system | $930,000 | Yes — two qui tam actions; share not stated | DOJ | |
| Aerojet Rocketdyne, Inc. (first litigated to trial) | DoD, NASA | Misrepresented cybersecurity compliance in federal contracts | $9,000,000 | Yes — Brian Markus, $2,610,000 | DOJ | |
| Jelly Bean Communications Design LLC + Jeremy Spinks | CMS-funded Florida children’s health insurance site | Failed to secure a website; unpatched software; 2020 hack exposed 500,000+ applications | $293,771 | No relator stated in DOJ release | DOJ | |
| Verizon Business Network Services LLC | GSA / Managed Trusted IP Services | Incomplete cybersecurity controls on secure internet service to agencies | $4,091,317 | No relator; self-disclosed and cooperated | DOJ | |
| Insight Global LLC | PA Dept. of Health / COVID-19 contact tracing | Failed to protect PHI; unencrypted emails; shared passwords; public Google files | $2,700,000 | Yes — Terralyn Williams Seilkop, $499,500 | DOJ | |
| Guidehouse Inc. & Nan McKay and Associates | Treasury-funded NY Emergency Rental Assistance Program | Required pre-launch cybersecurity testing not completed; PII exposed 12 hours after go-live | $11,300,000 (Guidehouse $7.6M; Nan McKay $3.7M) | Yes — Elevation 33 LLC, $1,949,250 | DOJ | |
| ASRC Federal Data Solutions LLC | CMS / Medicare beneficiary data | PII not individually encrypted; data breach | $306,722 (+ waiver of ≥$877,578) | No relator; cooperation credit | DOJ | |
| The Pennsylvania State University | DoD, NASA (15 contracts/subcontracts) | Misrepresented dates for implementing controls; weak POA&M follow-through; non-compliant cloud service | $1,250,000 | Yes — Matthew Decker (former ARL CIO), $250,000 | DOJ | |
| Health Net Federal Services LLC & Centene Corp. | DoD / Defense Health Agency / TRICARE | False annual cyber certifications; skipped vulnerability scanning; ignored audit warnings | $11,253,400 | No relator stated in DOJ release | DOJ | |
| MORSECORP Inc. | Army, Air Force | Non-compliant email host; unimplemented NIST 800-171 controls; no system security plan; false SPRS score | $4,600,000 | Yes — relator Berich, $851,000 (18.5%) | DOJ | |
| Raytheon, RTX Corp. & Nightwing (successor-liability case) | DoD (29 contracts/subcontracts, 2015–2021) | Ran a non-compliant internal system storing CUI/FCI; DFARS 252.204-7012; FAR 52.204-21 | $8,400,000 | Yes — Branson K. Fowler Sr., $1,512,000 | DOJ | |
| Hill ASC Inc. (Hill Associates) (largest to date) | GSA Multiple Award Schedule (IT / HACS) | Billed for cybersecurity services it wasn’t approved to provide; underqualified labor; out-of-scope work | at least $14,750,000 | No relator stated in DOJ release | DOJ | |
| Illumina, Inc. (first medical-device product case) | Federal agencies (genomic sequencers) | Product cybersecurity vulnerabilities; inadequate security program; false ISO/NIST representations | $9,800,000 | Yes — Erica Lenore, $1,900,000 | DOJ | |
| Aero Turbine Inc. & Gallant Capital Partners LLC (first private-equity co-defendant) | Air Force | Unimplemented NIST 800-171 controls; CUI accessible to unauthorized foreign persons | $1,750,000 | No relator; voluntary self-disclosure | DOJ | |
| Georgia Tech Research Corporation | Air Force, DARPA (~$31M contracts) | No anti-virus/anti-malware in a research lab; no SSP; false summary-level (SPRS) score of 98 | $875,000 | Yes — Christopher Craig & Kyle Koza, $201,250 | DOJ | |
| Swiss Automation, Inc. (first subcontractor/supplier case) | DoD prime contractors (technical drawings) | Inadequate cybersecurity (NIST 800-171) for CUI drawings supplied to primes | $421,234 | Yes — Jaime Gomez, $65,291 | DOJ | |
| LOGZONE, Inc. | Navy (Naval Oceanographic Command) | Self-assessed a perfect NIST 800-171 score of 110; DCMA/DIBCAC scored it −170 | $507,144 | No relator stated in DOJ release | DOJ |
Cyber False Claims Act settlements data by year
Cyber False Claims Act enforcement was nearly flat for its first two years and then jumped sharply: calendar-year 2025 alone produced eight settlements worth $51,849,634 — more than every prior year combined. The table below counts settlements at the release level (the Guidehouse/Nan McKay matter is one entry) and separates the 2019 Cisco case, which predates the Initiative.
| Year | Settlements | Total value | Note |
|---|---|---|---|
| 2019 | 1 | $8,600,000 | Cisco — pre-Initiative |
| 2021 | 0 | $0 | Initiative launched October 6 |
| 2022 | 2 | $9,930,000 | First settlements under the Initiative |
| 2023 | 2 | $4,385,088 | |
| 2024 | 4 | $15,556,722 | |
| 2025 | 8 | $51,849,634 | Sharpest year on record |
| 2026 (through ) | 1 | $507,144 | |
| Initiative-era total (2022–2026) | 17 | $82,228,588 |
Why do the settlement counts differ — nine, eight, seven, fifteen, seventeen?
The main reason cyber FCA settlement counts vary is the date window and the counting rule, not the underlying facts. DOJ’s fiscal-year 2025 fact sheet reports “over $52 million in nine cybersecurity fraud settlements.” Industry year-in-review coverage of calendar-year 2025 reports eight settlements totaling $51,849,634. Both are right — DOJ is measuring its fiscal year (October 1, 2024 to September 30, 2025), while the calendar-year figure runs January through December 2025. We verified this by dropping each settlement into the correct window.
Here is exactly what moves. DOJ’s fiscal-year count includes the two October 2024 settlements (ASRC Federal and Penn State) because they fall in FY2025, and excludes the December 2025 Swiss Automation settlement because that landed in FY2026. The calendar-year count does the opposite: it drops the October 2024 pair and picks up Swiss Automation.
| Window | Count | Total | Cases included |
|---|---|---|---|
| Fiscal year 2025 (Oct 1, 2024 – Sep 30, 2025) | 9 | $52,985,122 | ASRC Federal, Penn State, Health Net/Centene, MORSECORP, Raytheon/RTX/Nightwing, Hill ASC, Illumina, Aero Turbine/Gallant, Georgia Tech |
| Calendar year 2025 (Jan 1 – Dec 31, 2025) | 8 | $51,849,634 | Health Net/Centene, MORSECORP, Raytheon/RTX/Nightwing, Hill ASC, Illumina, Aero Turbine/Gallant, Georgia Tech, Swiss Automation |
Two other counts float around, and both are defensible. Some practitioners say the Department has settled “fifteen” civil cyber-fraud cases since the Initiative began — that figure counts matters through the end of FY2025 and stops before Swiss Automation and LOGZONE. And you’ll occasionally see “seven cybersecurity cases in 2025,” which typically counts calendar-year 2025 but excludes Hill ASC, treating it as a GSA-schedule billing case rather than a cybersecurity case. That last call is a judgment about scope, which brings us to the one settlement that reshapes the whole picture.
The largest cyber False Claims Act settlement is a case most trackers miss
The single largest cyber-related False Claims Act settlement to date is Hill ASC Inc., doing business as Hill Associates, which agreed on July 14, 2025 to pay at least $14.75 million — larger than the two headline defense cases (Health Net/Centene at $11.25M and the combined Guidehouse/Nan McKay matter at $11.3M). We flag it because several roundups leave it out, and its absence is exactly what makes the fiscal-year math look impossible.
Hill is different from the NIST 800-171 cases that dominate the headlines. According to the DOJ release, the Rockville, Maryland IT firm billed federal agencies through GSA’s Multiple Award Schedule from 2018 to 2023 for information-technology personnel who lacked the required experience, and — the cyber hook — submitted claims for highly adaptive cybersecurity services (HACS)even though it had not passed GSA’s required technical evaluation to offer them. No relator is named in the release; the matter was worked by GSA’s Inspector General, Treasury OIG, and the IRS’s TIGTA.
When we added Hill to our tracker, the fiscal-year 2025 total snapped into place: nine settlements, $52,985,122 — “over $52 million in nine,” exactly as DOJ reported. It was the missing ninth case.
| Rank | Defendant | Amount | Year | Type |
|---|---|---|---|---|
| 1 | Hill ASC (Hill Associates) | at least $14,750,000 | 2025 | GSA schedule / cybersecurity-services scope |
| 2 | Guidehouse + Nan McKay (combined) | $11,300,000 | 2024 | Pre-launch cyber testing / PII |
| 3 | Health Net Federal Services / Centene | $11,253,400 | 2025 | TRICARE cyber certification |
| 4 | Illumina | $9,800,000 | 2025 | Medical-device product cybersecurity |
| 5 | Aerojet Rocketdyne | $9,000,000 | 2022 | Misrepresented compliance |
| 6 | Cisco Systems (pre-Initiative) | $8,600,000 | 2019 | Vulnerable product sold to government |
| 7 | Raytheon / RTX / Nightwing | $8,400,000 | 2025 | NIST 800-171 / DFARS / successor liability |
| 8 | MORSECORP | $4,600,000 | 2025 | NIST 800-171 / false SPRS score |
| 9 | Verizon Business Network Services | $4,091,317 | 2023 | Incomplete secure-internet controls |
| 10 | Insight Global | $2,700,000 | 2024 | COVID-19 contact-tracing data safeguards |
How much have cyber FCA whistleblowers received?
Across the cases where DOJ stated a relator’s share, whistleblowers in cyber False Claims Act settlements have been awarded a combined $9,838,291. Whistleblowers drove many of these cases: of the 17 Initiative-era release-level settlements, at least 10 began as qui tam suits filed by employees or insiders, and five of the eight calendar-year 2025 settlements were qui tam actions. The rest came from voluntary self-disclosure or cooperation credit (Verizon, ASRC Federal, and Aero Turbine/Gallant), government-initiated investigations (Health Net/Centene, and — via a DIBCAC assessment — LOGZONE), or a DOJ release that named no relator (Hill ASC).
We cross-checked this the hard way. Summing only the 2025 relator shares in our tracker — MORSECORP ($851,000), Raytheon ($1,512,000), Illumina ($1,900,000), Georgia Tech ($201,250), and Swiss Automation ($65,291) — gives $4,529,541, which matches the calendar-2025 whistleblower total reported independently in industry coverage to the dollar. That reconciliation is one reason we’re confident in the figures below.
| Case | Relator | Share |
|---|---|---|
| Aerojet Rocketdyne (2022) | Brian Markus | $2,610,000 |
| Guidehouse / Nan McKay (2024) | Elevation 33 LLC | $1,949,250 |
| Illumina (2025) | Erica Lenore | $1,900,000 |
| Raytheon / RTX / Nightwing (2025) | Branson K. Fowler Sr. | $1,512,000 |
| MORSECORP (2025) | relator Berich | $851,000 |
| Insight Global (2024) | Terralyn Williams Seilkop | $499,500 |
| Penn State (2024) | Matthew Decker (former ARL CIO) | $250,000 |
| Georgia Tech (2025) | Christopher Craig & Kyle Koza | $201,250 |
| Swiss Automation (2025) | Jaime Gomez | $65,291 |
| Total (stated shares) | $9,838,291 | |
| Cisco (2019, pre-Initiative) | James Glenn | ~$1,750,000 (~20%) |
Which cyber FCA settlements involved NIST 800-171, DFARS, SPRS, or DIBCAC?
Seven of the Initiative-era settlements turned on the explicit defense cybersecurity stack — NIST SP 800-171, DFARS 252.204-7012, the SPRS assessment score, or a DIBCAC review — and together they account for about $17.8 million. This is the subset defense contractors preparing for CMMC should study, because the allegations map directly onto the artifacts assessors check: implemented controls, a system security plan, a plan of action and milestones, and an accurate SPRS score. Related context on CMMC enforcement data is in our CMMC Statistics 2026 reference page.
Two definitions for this group. SPRS is the DoD system where contractors post their NIST 800-171 self-assessment score, on a scale that tops out at 110. DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center, the DoD body that conducts higher-confidence assessments. The pattern across these cases is stark: contractors posted optimistic self-scores, and later assessments found the truth.
| Case | What the DOJ release keyed on | Score / requirement cited | Amount | Relator share |
|---|---|---|---|---|
| MORSECORP (2025) | NIST 800-171; no SSP; false SPRS score | Reported a score its own consultant had flagged as −142 | $4,600,000 | $851,000 |
| Raytheon / RTX / Nightwing (2025) | DFARS 252.204-7012; FAR 52.204-21 | Non-compliant covered system across 29 contracts | $8,400,000 | $1,512,000 |
| Aero Turbine / Gallant (2025) | NIST 800-171 (110 controls) | CUI accessible to unauthorized foreign persons | $1,750,000 | — |
| Georgia Tech (2025) | NIST 800-171; no SSP; false summary score | Submitted a campus-wide score of 98 based on a fictitious environment | $875,000 | $201,250 |
| Swiss Automation (2025) | NIST 800-171 (subcontractor flow-down) | Inadequate security for CUI technical drawings | $421,234 | $65,291 |
| LOGZONE (2026) | NIST 800-171; DIBCAC assessment | Self-scored 110; DIBCAC scored −170 (range −203 to 110) | $507,144 | — |
| Penn State (2024) | NIST 800-171; assessment-date misrepresentation; POA&M | Misrepresented when controls would be implemented | $1,250,000 | $250,000 |
| Total | $17,803,378 |
The broader defense-related group — anything tied to DoD, the military services, NASA, or a defense prime — is larger once you include cases that involve defense agencies without DOJ naming a specific control (for example, Comprehensive Health Services and Aerojet Rocketdyne). We keep the two views separate on purpose, because “defense-related” and “explicit NIST 800-171 case” are not the same thing, and conflating them is a common error.
What allegation patterns show up most often?
Cyber FCA settlements cluster into five repeat fact patterns, and the money is spread across all of them — no single theory dominates. We assigned each Initiative-era matter to its dominant theme; several involved more than one issue, and the notes call those out. The through-line is misrepresentation, not intrusion.
| Allegation pattern | Cases | Count | Settlement dollars | Notes |
|---|---|---|---|---|
| False or inaccurate assessment / SPRS score / certification | MORSECORP, Georgia Tech, LOGZONE, Penn State, Health Net/Centene | 5 | $18,485,544 | The “you certified compliance and weren’t” cases |
| Unimplemented NIST 800-171 / DFARS controls | Aerojet, Verizon, Raytheon, Aero Turbine, Swiss Automation | 5 | $23,662,551 | Controls simply not in place |
| Failure to safeguard PII/PHI | CHS, Jelly Bean, Insight Global, Guidehouse/Nan McKay, ASRC Federal | 5 | $15,530,493 | Includes insecure hosting and skipped required testing |
| Vulnerable product sold to the government | Illumina (+ Cisco pre-Initiative) | 1 | $9,800,000 | Plus Cisco (2019), the pre-Initiative original |
| Billing for cybersecurity services/scope not approved | Hill ASC | 1 | $14,750,000 | The single largest matter |
| Total | 17 | $82,228,588 |
Do cyber False Claims Act cases require a data breach?
No. In most of these settlements, the government never alleged that anyone breached the contractor’s systems — 13 of the 17 Initiative-era matters rested on misrepresentation alone. Liability turns on the false statement — a certification of compliance, an inflated assessment score, a claim submitted while knowingly out of compliance — not on a hacker getting in. DOJ officials have said as much publicly, describing cyber-fraud cases as premised on misrepresentations rather than on data breaches.
| Breach or exposure alleged | Cases |
|---|---|
| Yes (4) | Jelly Bean (2020 hack, 500,000+ applications exposed), Guidehouse/Nan McKay (PII exposed 12 hours after launch), ASRC Federal (2022 breach), Insight Global (PHI in unencrypted emails and public files) |
| No breach alleged (13) | Cisco, CHS, Aerojet, Verizon, Penn State, Health Net/Centene, MORSECORP, Raytheon, Hill ASC, Illumina, Aero Turbine, Georgia Tech, LOGZONE |
The practical takeaway for contractors: a clean security record does not protect you if your certifications, scores, or system security plans don’t match reality. The DOJ releases for MORSECORP, Georgia Tech, Aero Turbine, and LOGZONE did not allege a breach at all — the misrepresentation was enough.
What is the DOJ Civil Cyber-Fraud Initiative?
The Civil Cyber-Fraud Initiative is a DOJ enforcement program, announced by then-Deputy Attorney General Lisa Monaco on October 6, 2021, that uses the False Claims Act to pursue government contractors and grant recipients who misrepresent their cybersecurity. It targets three kinds of conduct: knowingly providing deficient cybersecurity products or services, knowingly misrepresenting security practices, and knowingly failing to monitor and report cyber incidents. Because the False Claims Act carries treble (triple) damages plus per-claim penalties, it gives the government real financial leverage over cyber noncompliance.
The reach has widened over time, as the year-by-year table above shows: two settlements in 2022, eight in 2025. The Department now tends to describe these as “cybersecurity fraud” settlements rather than by the Initiative’s name, but the enforcement has not slowed — its fiscal-year 2025 fact sheet reports over $52 million in nine such settlements. The theory now reaches defense primes, universities, medical-device makers, private-equity owners, and, as of December 2025, subcontractors deep in the supply chain.
What this data shows — and what it doesn’t
This tracker shows the public, DOJ-announced universe of civil cyber False Claims Act settlements and the amounts DOJ chose to announce. It does not show the full scope of cyber-compliance enforcement. It captures settled matters, not sealed investigations, ongoing litigation, or interventions without a resolution. It excludes criminal cases without a civil settlement, state-only actions, private data-breach class actions, and FTC or SEC matters. And a settlement amount is the announced figure, which can understate total exposure — Hill’s is “at least” $14.75 million, and ASRC’s excludes a separate waiver of at least $877,578 in remediation costs.
One more honest caveat on counting: our totals treat the Guidehouse/Nan McKay matter as one release with two defendants, and they exclude the pre-Initiative Cisco settlement from the “17” headline (we report it separately). Change either rule and the top-line number shifts. We’ve shown the components in every table so you can recount however your own analysis requires.
Methodology: how we built and verified this tracker
We built this list from primary sources — DOJ press releases, settlement announcements, and DOJ’s annual False Claims Act materials — and verified each figure against the issuing release. For every settlement we recorded the announcement date, defendant, agency or program, allegation category, settlement amount, qui tam status, and stated relator share, and we linked the row to its DOJ source. Where secondary sources (law-firm alerts, industry year-in-reviews) reported a figure, we used them only as a cross-check, never as the primary record.
Our inclusion rule: a civil False Claims Act settlement or resolution announced after the October 6, 2021 launch of the Initiative, where the DOJ release ties the matter to cybersecurity requirements, cybersecurity products or services, cybersecurity representations, secure hosting, or cyber incident and reporting obligations. We count at the release level and note multiple defendants inside a matter. We treat “at least” amounts as floors and do not add separately announced waivers into the settlement total. We include the 2019 Cisco settlement as clearly labeled historical context because it is widely recognized as the first cyber False Claims Act settlement, but we exclude it from Initiative-era totals; its amount combines a federal share and a multistate share, the latter confirmed by the New York Attorney General.
Two verification steps gave us confidence in the aggregates. First, adding Hill ASC reconciled our fiscal-year 2025 total to DOJ’s own “over $52 million in nine settlements.” Second, our calendar-2025 whistleblower shares summed to $4,529,541, matching an independently reported 2025 total to the dollar. We re-verify the tracker on the date shown at the top of the page and after each new DOJ cyber settlement and each annual DOJ False Claims Act report.
Frequently asked questions
- How many cyber False Claims Act settlements have there been?
- At least 17 cybersecurity-related civil False Claims Act settlements since the DOJ launched its Civil Cyber-Fraud Initiative on October 6, 2021, totaling at least $82,228,588 through June 18, 2026. Counting the pre-Initiative Cisco settlement (2019), the total is 18 matters and roughly $90.8 million.
- What is the largest cyber False Claims Act settlement?
- Hill ASC Inc. (Hill Associates), at least $14.75 million, announced July 14, 2025 — a GSA schedule case involving cybersecurity services the company wasn’t approved to bill. The largest defense-related settlement is Health Net Federal Services and Centene at $11,253,400 (TRICARE), and the largest explicit NIST/DFARS settlement is Raytheon / RTX / Nightwing at $8,400,000.
- What was the first cyber False Claims Act settlement?
- Cisco Systems’ $8.6 million settlement on July 31, 2019 is generally recognized as the first. The first settlement under DOJ’s Civil Cyber-Fraud Initiative was Comprehensive Health Services, $930,000, on March 8, 2022.
- Why do DOJ and law firms report different settlement counts?
- Mostly the date window. DOJ’s fiscal-year 2025 count is nine settlements ($52,985,122); a calendar-year 2025 count is eight ($51,849,634). The two windows swap the October 2024 settlements (ASRC Federal and Penn State) for the December 2025 Swiss Automation settlement.
- Which cases involved NIST SP 800-171 or SPRS scores?
- Seven turned on the explicit defense cybersecurity stack: MORSECORP, Raytheon/RTX/Nightwing, Aero Turbine/Gallant, Georgia Tech, Swiss Automation, LOGZONE, and Penn State — about $17.8 million combined.
- How much have cyber FCA whistleblowers received?
- Across settlements where DOJ stated a relator share, whistleblowers were awarded a combined $9,838,291. The largest single share was $2,610,000 (Aerojet Rocketdyne).
- Does a settlement mean the defendant admitted liability?
- No. In each of these matters the claims were allegations only, and there was no determination of liability. A few settlements included specific admissions of fact (for example, the ERAP matter and MORSECORP), but a settlement is not a finding of guilt.
- Do these cases require a data breach?
- No. Thirteen of the 17 Initiative-era matters involved no alleged breach; liability is based on the misrepresentation — a false certification, an inaccurate SPRS score, or a claim submitted while knowingly noncompliant.
How to cite this page
Suggested citation:
The Defense Compliance Report Editorial Team. “Cyber False Claims Act Settlements: The Complete DOJ Tracker (2021–2026).” The Defense Compliance Report. Last verified . https://thedefensecompliancereport.com/research/cyber-false-claims-act-settlements/