The Defense Compliance Report — Research & Data

Cyber False Claims Act Settlements: The Complete DOJ Tracker (2021–2026)

By The Defense Compliance Report editorial team · Published · Last verified: · Updated after each new DOJ cyber settlement

The Defense Compliance Report is an independent trade publication covering CMMC 2.0 and Defense Industrial Base compliance. This page is an independent reference resource not affiliated with the Department of Justice, the Department of Defense, or any government agency. It is educational research, not legal advice.


Since the U.S. Department of Justice launched its Civil Cyber-Fraud Initiative on October 6, 2021, cyber False Claims Act settlements have reached at least 17 DOJ-announced resolutions, totaling at least $82,228,588through the LOGZONE settlement on June 18, 2026. We built this tracker by reading every Department of Justice release, one by one, and recording the amount, date, agency, allegation, and whistleblower share for each. It also settles a number that trips up almost every published roundup: the fiscal-year total and the calendar-year total are both right — they just count different cases.

Every row in the tracker links to its primary DOJ source. Download the full dataset as CSV below.

This is a research and reference resource, not legal advice. The legal claims resolved in these matters were allegations only, and there was no determination of liability; a few settlements also included specific admissions or acknowledgments of fact.

The numbers at a glance

Summary figures — DOJ cyber False Claims Act enforcement through
MetricValueNotes
DOJ-announced cyber FCA settlements since Oct. 6, 202117Release-level count; the Guidehouse/Nan McKay matter is one release with two defendants.
Total announced settlement valueat least $82,228,588Sum of DOJ-announced amounts. Two matters carry “at least” or waiver components (Hill ASC; ASRC Federal).
Largest settlementat least $14.75M — Hill ASC (Hill Associates)GSA schedule / cybersecurity-services scope case, July 2025.
Largest defense-related settlement$11.25M — Health Net Federal Services / CenteneTRICARE (Defense Health Agency), February 2025.
Largest explicit NIST/DFARS settlement$8.4M — Raytheon / RTX / NightwingDFARS 252.204-7012 and FAR 52.204-21, May 2025.
Fiscal year 2025 (Oct 1, 2024 – Sep 30, 2025)9 settlements / $52,985,122Reconciles DOJ’s “over $52M in nine.”
Calendar year 2025 (Jan 1 – Dec 31, 2025)8 settlements / $51,849,634Matches the widely cited 2025 industry total.
Known DOJ-stated whistleblower shares$9,838,291Summed only where DOJ stated a relator share.
Settlements alleging an actual breach or data exposure4 of 17The other 13 rested on misrepresentation alone.
First cyber FCA settlement everCisco Systems, $8.6M ()Predates the Initiative; not counted in the 17 above.

Source: The Defense Compliance Report, compiled from U.S. Department of Justice press releases. Last verified .

Add the pre-Initiative Cisco settlement and every publicly known cyber False Claims Act settlement from 2019 through mid-2026 comes to 18 matters totaling roughly $90.8 million.

How many cyber False Claims Act settlements has the DOJ announced?

The DOJ has publicly announced at least 17 cybersecurity-related civil False Claims Act settlements since it launched the Civil Cyber-Fraud Initiative on October 6, 2021, totaling at least $82,228,588 through June 18, 2026. The count depends on how you define a “settlement.” We use a release-level count: one entry per DOJ announcement. When DOJ announced Guidehouse and Nan McKay together in a single release, we treat that as one matter and record both defendant amounts inside it.

That definition matters, because different counting rules produce different totals, and this is where most published figures diverge. Count the two ERAP defendants separately and you get 18. Restrict the list to matters where DOJ leaned on the defense cybersecurity stack — NIST SP 800-171, DFARS, an SPRS score, or a DIBCAC assessment — and you get 7. Restrict it to the government’s own fiscal year and you get 9. We show all of these views below, with the exact cases in each, so you can apply whichever definition your own analysis requires.

A few definitions we’ll use throughout. A qui tamcase (Latin, roughly “on behalf of the king”) is a whistleblower lawsuit filed under the False Claims Act by a private party — the relator— on the government’s behalf; if it succeeds, the relator receives 15%–30% of the recovery. NIST SP 800-171 Rev. 2 is the National Institute of Standards and Technology publication behind the 110-point DoD assessment score that contractors post in the Supplier Performance Risk System (SPRS). The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the DoD body that conducts higher-confidence assessments of that score. These terms show up in nearly every defense-related settlement below.

The complete cyber False Claims Act settlement tracker

Below is every DOJ-announced cyber False Claims Act settlement from the first one in 2019 through June 2026, with the defendant, date, agency, allegation, amount, and whistleblower share. Each row links to the primary Department of Justice source. Amounts are the settlement figures DOJ announced; where DOJ said “at least,” we use that as a floor.

Download the data: cyber-fca-settlement-tracker.csv

Table 1 — DOJ cyber False Claims Act settlements, 2019–2026
DateDefendantAgency / programCore allegationAmountQui tam / relator shareSource
Cisco Systems, Inc. (pre-Initiative; first ever)DHS, Secret Service, FEMA, U.S. military + statesSold Video Surveillance Manager software with known vulnerabilities enabling network/camera compromise$8,600,000Yes — James Glenn (~20%, ~$1.75M)NY AG
Comprehensive Health Services LLC (first under the Initiative)State Dept. & Air Force (overseas medical)Falsely represented it stored patient medical records on a secure system$930,000Yes — two qui tam actions; share not statedDOJ
Aerojet Rocketdyne, Inc. (first litigated to trial)DoD, NASAMisrepresented cybersecurity compliance in federal contracts$9,000,000Yes — Brian Markus, $2,610,000DOJ
Jelly Bean Communications Design LLC + Jeremy SpinksCMS-funded Florida children’s health insurance siteFailed to secure a website; unpatched software; 2020 hack exposed 500,000+ applications$293,771No relator stated in DOJ releaseDOJ
Verizon Business Network Services LLCGSA / Managed Trusted IP ServicesIncomplete cybersecurity controls on secure internet service to agencies$4,091,317No relator; self-disclosed and cooperatedDOJ
Insight Global LLCPA Dept. of Health / COVID-19 contact tracingFailed to protect PHI; unencrypted emails; shared passwords; public Google files$2,700,000Yes — Terralyn Williams Seilkop, $499,500DOJ
Guidehouse Inc. & Nan McKay and AssociatesTreasury-funded NY Emergency Rental Assistance ProgramRequired pre-launch cybersecurity testing not completed; PII exposed 12 hours after go-live$11,300,000 (Guidehouse $7.6M; Nan McKay $3.7M)Yes — Elevation 33 LLC, $1,949,250DOJ
ASRC Federal Data Solutions LLCCMS / Medicare beneficiary dataPII not individually encrypted; data breach$306,722 (+ waiver of ≥$877,578)No relator; cooperation creditDOJ
The Pennsylvania State UniversityDoD, NASA (15 contracts/subcontracts)Misrepresented dates for implementing controls; weak POA&M follow-through; non-compliant cloud service$1,250,000Yes — Matthew Decker (former ARL CIO), $250,000DOJ
Health Net Federal Services LLC & Centene Corp.DoD / Defense Health Agency / TRICAREFalse annual cyber certifications; skipped vulnerability scanning; ignored audit warnings$11,253,400No relator stated in DOJ releaseDOJ
MORSECORP Inc.Army, Air ForceNon-compliant email host; unimplemented NIST 800-171 controls; no system security plan; false SPRS score$4,600,000Yes — relator Berich, $851,000 (18.5%)DOJ
Raytheon, RTX Corp. & Nightwing (successor-liability case)DoD (29 contracts/subcontracts, 2015–2021)Ran a non-compliant internal system storing CUI/FCI; DFARS 252.204-7012; FAR 52.204-21$8,400,000Yes — Branson K. Fowler Sr., $1,512,000DOJ
Hill ASC Inc. (Hill Associates) (largest to date)GSA Multiple Award Schedule (IT / HACS)Billed for cybersecurity services it wasn’t approved to provide; underqualified labor; out-of-scope workat least $14,750,000No relator stated in DOJ releaseDOJ
Illumina, Inc. (first medical-device product case)Federal agencies (genomic sequencers)Product cybersecurity vulnerabilities; inadequate security program; false ISO/NIST representations$9,800,000Yes — Erica Lenore, $1,900,000DOJ
Aero Turbine Inc. & Gallant Capital Partners LLC (first private-equity co-defendant)Air ForceUnimplemented NIST 800-171 controls; CUI accessible to unauthorized foreign persons$1,750,000No relator; voluntary self-disclosureDOJ
Georgia Tech Research CorporationAir Force, DARPA (~$31M contracts)No anti-virus/anti-malware in a research lab; no SSP; false summary-level (SPRS) score of 98$875,000Yes — Christopher Craig & Kyle Koza, $201,250DOJ
Swiss Automation, Inc. (first subcontractor/supplier case)DoD prime contractors (technical drawings)Inadequate cybersecurity (NIST 800-171) for CUI drawings supplied to primes$421,234Yes — Jaime Gomez, $65,291DOJ
LOGZONE, Inc.Navy (Naval Oceanographic Command)Self-assessed a perfect NIST 800-171 score of 110; DCMA/DIBCAC scored it −170$507,144No relator stated in DOJ releaseDOJ

Source: U.S. Department of Justice press releases and settlement records, compiled and verified by The Defense Compliance Report. Amounts are announced settlement totals; the Cisco figure combines a federal share (~$2.6M) and a multistate/D.C. share (~$6M, confirmed by the New York Attorney General). Last verified .

Cyber False Claims Act settlements data by year

Cyber False Claims Act enforcement was nearly flat for its first two years and then jumped sharply: calendar-year 2025 alone produced eight settlements worth $51,849,634 — more than every prior year combined. The table below counts settlements at the release level (the Guidehouse/Nan McKay matter is one entry) and separates the 2019 Cisco case, which predates the Initiative.

Table 2 — Cyber False Claims Act settlements by year
YearSettlementsTotal valueNote
20191$8,600,000Cisco — pre-Initiative
20210$0Initiative launched October 6
20222$9,930,000First settlements under the Initiative
20232$4,385,088 
20244$15,556,722 
20258$51,849,634Sharpest year on record
2026 (through )1$507,144 
Initiative-era total (2022–2026)17$82,228,588 

Source: The Defense Compliance Report, computed from Table 1. Last verified .

Why do the settlement counts differ — nine, eight, seven, fifteen, seventeen?

The main reason cyber FCA settlement counts vary is the date window and the counting rule, not the underlying facts. DOJ’s fiscal-year 2025 fact sheet reports “over $52 million in nine cybersecurity fraud settlements.” Industry year-in-review coverage of calendar-year 2025 reports eight settlements totaling $51,849,634. Both are right — DOJ is measuring its fiscal year (October 1, 2024 to September 30, 2025), while the calendar-year figure runs January through December 2025. We verified this by dropping each settlement into the correct window.

Here is exactly what moves. DOJ’s fiscal-year count includes the two October 2024 settlements (ASRC Federal and Penn State) because they fall in FY2025, and excludes the December 2025 Swiss Automation settlement because that landed in FY2026. The calendar-year count does the opposite: it drops the October 2024 pair and picks up Swiss Automation.

Table 3 — The same year, two ways: fiscal year vs. calendar year 2025
WindowCountTotalCases included
Fiscal year 2025 (Oct 1, 2024 – Sep 30, 2025)9$52,985,122ASRC Federal, Penn State, Health Net/Centene, MORSECORP, Raytheon/RTX/Nightwing, Hill ASC, Illumina, Aero Turbine/Gallant, Georgia Tech
Calendar year 2025 (Jan 1 – Dec 31, 2025)8$51,849,634Health Net/Centene, MORSECORP, Raytheon/RTX/Nightwing, Hill ASC, Illumina, Aero Turbine/Gallant, Georgia Tech, Swiss Automation

Source: The Defense Compliance Report, computed from Table 1. Last verified .

Two other counts float around, and both are defensible. Some practitioners say the Department has settled “fifteen” civil cyber-fraud cases since the Initiative began — that figure counts matters through the end of FY2025 and stops before Swiss Automation and LOGZONE. And you’ll occasionally see “seven cybersecurity cases in 2025,” which typically counts calendar-year 2025 but excludes Hill ASC, treating it as a GSA-schedule billing case rather than a cybersecurity case. That last call is a judgment about scope, which brings us to the one settlement that reshapes the whole picture.

The largest cyber False Claims Act settlement is a case most trackers miss

The single largest cyber-related False Claims Act settlement to date is Hill ASC Inc., doing business as Hill Associates, which agreed on July 14, 2025 to pay at least $14.75 million — larger than the two headline defense cases (Health Net/Centene at $11.25M and the combined Guidehouse/Nan McKay matter at $11.3M). We flag it because several roundups leave it out, and its absence is exactly what makes the fiscal-year math look impossible.

Hill is different from the NIST 800-171 cases that dominate the headlines. According to the DOJ release, the Rockville, Maryland IT firm billed federal agencies through GSA’s Multiple Award Schedule from 2018 to 2023 for information-technology personnel who lacked the required experience, and — the cyber hook — submitted claims for highly adaptive cybersecurity services (HACS)even though it had not passed GSA’s required technical evaluation to offer them. No relator is named in the release; the matter was worked by GSA’s Inspector General, Treasury OIG, and the IRS’s TIGTA.

When we added Hill to our tracker, the fiscal-year 2025 total snapped into place: nine settlements, $52,985,122 — “over $52 million in nine,” exactly as DOJ reported. It was the missing ninth case.

Table 4 — The ten largest cyber FCA settlements (2019–2026)
RankDefendantAmountYearType
1Hill ASC (Hill Associates)at least $14,750,0002025GSA schedule / cybersecurity-services scope
2Guidehouse + Nan McKay (combined)$11,300,0002024Pre-launch cyber testing / PII
3Health Net Federal Services / Centene$11,253,4002025TRICARE cyber certification
4Illumina$9,800,0002025Medical-device product cybersecurity
5Aerojet Rocketdyne$9,000,0002022Misrepresented compliance
6Cisco Systems (pre-Initiative)$8,600,0002019Vulnerable product sold to government
7Raytheon / RTX / Nightwing$8,400,0002025NIST 800-171 / DFARS / successor liability
8MORSECORP$4,600,0002025NIST 800-171 / false SPRS score
9Verizon Business Network Services$4,091,3172023Incomplete secure-internet controls
10Insight Global$2,700,0002024COVID-19 contact-tracing data safeguards

Source: The Defense Compliance Report, compiled from DOJ press releases. The Guidehouse/Nan McKay matter is one resolution with two defendants. Last verified .

How much have cyber FCA whistleblowers received?

Across the cases where DOJ stated a relator’s share, whistleblowers in cyber False Claims Act settlements have been awarded a combined $9,838,291. Whistleblowers drove many of these cases: of the 17 Initiative-era release-level settlements, at least 10 began as qui tam suits filed by employees or insiders, and five of the eight calendar-year 2025 settlements were qui tam actions. The rest came from voluntary self-disclosure or cooperation credit (Verizon, ASRC Federal, and Aero Turbine/Gallant), government-initiated investigations (Health Net/Centene, and — via a DIBCAC assessment — LOGZONE), or a DOJ release that named no relator (Hill ASC).

We cross-checked this the hard way. Summing only the 2025 relator shares in our tracker — MORSECORP ($851,000), Raytheon ($1,512,000), Illumina ($1,900,000), Georgia Tech ($201,250), and Swiss Automation ($65,291) — gives $4,529,541, which matches the calendar-2025 whistleblower total reported independently in industry coverage to the dollar. That reconciliation is one reason we’re confident in the figures below.

Table 5 — Whistleblower (relator) shares, where DOJ stated them
CaseRelatorShare
Aerojet Rocketdyne (2022)Brian Markus$2,610,000
Guidehouse / Nan McKay (2024)Elevation 33 LLC$1,949,250
Illumina (2025)Erica Lenore$1,900,000
Raytheon / RTX / Nightwing (2025)Branson K. Fowler Sr.$1,512,000
MORSECORP (2025)relator Berich$851,000
Insight Global (2024)Terralyn Williams Seilkop$499,500
Penn State (2024)Matthew Decker (former ARL CIO)$250,000
Georgia Tech (2025)Christopher Craig & Kyle Koza$201,250
Swiss Automation (2025)Jaime Gomez$65,291
Total (stated shares) $9,838,291
Cisco (2019, pre-Initiative)James Glenn~$1,750,000 (~20%)

Source: The Defense Compliance Report, from DOJ press releases and court filings. Comprehensive Health Services resolved qui tam actions but DOJ did not state a share, so it is excluded from the total. Last verified .

Which cyber FCA settlements involved NIST 800-171, DFARS, SPRS, or DIBCAC?

Seven of the Initiative-era settlements turned on the explicit defense cybersecurity stack — NIST SP 800-171, DFARS 252.204-7012, the SPRS assessment score, or a DIBCAC review — and together they account for about $17.8 million. This is the subset defense contractors preparing for CMMC should study, because the allegations map directly onto the artifacts assessors check: implemented controls, a system security plan, a plan of action and milestones, and an accurate SPRS score. Related context on CMMC enforcement data is in our CMMC Statistics 2026 reference page.

Two definitions for this group. SPRS is the DoD system where contractors post their NIST 800-171 self-assessment score, on a scale that tops out at 110. DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center, the DoD body that conducts higher-confidence assessments. The pattern across these cases is stark: contractors posted optimistic self-scores, and later assessments found the truth.

Table 6 — The defense-cybersecurity-stack settlements (NIST 800-171 / DFARS / SPRS / DIBCAC)
CaseWhat the DOJ release keyed onScore / requirement citedAmountRelator share
MORSECORP (2025)NIST 800-171; no SSP; false SPRS scoreReported a score its own consultant had flagged as −142$4,600,000$851,000
Raytheon / RTX / Nightwing (2025)DFARS 252.204-7012; FAR 52.204-21Non-compliant covered system across 29 contracts$8,400,000$1,512,000
Aero Turbine / Gallant (2025)NIST 800-171 (110 controls)CUI accessible to unauthorized foreign persons$1,750,000
Georgia Tech (2025)NIST 800-171; no SSP; false summary scoreSubmitted a campus-wide score of 98 based on a fictitious environment$875,000$201,250
Swiss Automation (2025)NIST 800-171 (subcontractor flow-down)Inadequate security for CUI technical drawings$421,234$65,291
LOGZONE (2026)NIST 800-171; DIBCAC assessmentSelf-scored 110; DIBCAC scored −170 (range −203 to 110)$507,144
Penn State (2024)NIST 800-171; assessment-date misrepresentation; POA&MMisrepresented when controls would be implemented$1,250,000$250,000
Total  $17,803,378 

Source: The Defense Compliance Report, from DOJ press releases. Last verified .

The broader defense-related group — anything tied to DoD, the military services, NASA, or a defense prime — is larger once you include cases that involve defense agencies without DOJ naming a specific control (for example, Comprehensive Health Services and Aerojet Rocketdyne). We keep the two views separate on purpose, because “defense-related” and “explicit NIST 800-171 case” are not the same thing, and conflating them is a common error.

What allegation patterns show up most often?

Cyber FCA settlements cluster into five repeat fact patterns, and the money is spread across all of them — no single theory dominates. We assigned each Initiative-era matter to its dominant theme; several involved more than one issue, and the notes call those out. The through-line is misrepresentation, not intrusion.

Table 7 — Allegation patterns across the 17 Initiative-era settlements
Allegation patternCasesCountSettlement dollarsNotes
False or inaccurate assessment / SPRS score / certificationMORSECORP, Georgia Tech, LOGZONE, Penn State, Health Net/Centene5$18,485,544The “you certified compliance and weren’t” cases
Unimplemented NIST 800-171 / DFARS controlsAerojet, Verizon, Raytheon, Aero Turbine, Swiss Automation5$23,662,551Controls simply not in place
Failure to safeguard PII/PHICHS, Jelly Bean, Insight Global, Guidehouse/Nan McKay, ASRC Federal5$15,530,493Includes insecure hosting and skipped required testing
Vulnerable product sold to the governmentIllumina (+ Cisco pre-Initiative)1$9,800,000Plus Cisco (2019), the pre-Initiative original
Billing for cybersecurity services/scope not approvedHill ASC1$14,750,000The single largest matter
Total 17$82,228,588 

Source: The Defense Compliance Report, computed from Table 1; each matter assigned to its dominant theme. Last verified .

Do cyber False Claims Act cases require a data breach?

No. In most of these settlements, the government never alleged that anyone breached the contractor’s systems — 13 of the 17 Initiative-era matters rested on misrepresentation alone. Liability turns on the false statement — a certification of compliance, an inflated assessment score, a claim submitted while knowingly out of compliance — not on a hacker getting in. DOJ officials have said as much publicly, describing cyber-fraud cases as premised on misrepresentations rather than on data breaches.

Table 8 — Was a breach or data exposure alleged? (17 Initiative-era matters)
Breach or exposure allegedCases
Yes (4)Jelly Bean (2020 hack, 500,000+ applications exposed), Guidehouse/Nan McKay (PII exposed 12 hours after launch), ASRC Federal (2022 breach), Insight Global (PHI in unencrypted emails and public files)
No breach alleged (13)Cisco, CHS, Aerojet, Verizon, Penn State, Health Net/Centene, MORSECORP, Raytheon, Hill ASC, Illumina, Aero Turbine, Georgia Tech, LOGZONE

Source: The Defense Compliance Report, from the DOJ releases in Table 1. “No breach alleged” means the DOJ release did not allege a breach; it is not a finding that no breach ever occurred. Last verified .

The practical takeaway for contractors: a clean security record does not protect you if your certifications, scores, or system security plans don’t match reality. The DOJ releases for MORSECORP, Georgia Tech, Aero Turbine, and LOGZONE did not allege a breach at all — the misrepresentation was enough.

What is the DOJ Civil Cyber-Fraud Initiative?

The Civil Cyber-Fraud Initiative is a DOJ enforcement program, announced by then-Deputy Attorney General Lisa Monaco on October 6, 2021, that uses the False Claims Act to pursue government contractors and grant recipients who misrepresent their cybersecurity. It targets three kinds of conduct: knowingly providing deficient cybersecurity products or services, knowingly misrepresenting security practices, and knowingly failing to monitor and report cyber incidents. Because the False Claims Act carries treble (triple) damages plus per-claim penalties, it gives the government real financial leverage over cyber noncompliance.

The reach has widened over time, as the year-by-year table above shows: two settlements in 2022, eight in 2025. The Department now tends to describe these as “cybersecurity fraud” settlements rather than by the Initiative’s name, but the enforcement has not slowed — its fiscal-year 2025 fact sheet reports over $52 million in nine such settlements. The theory now reaches defense primes, universities, medical-device makers, private-equity owners, and, as of December 2025, subcontractors deep in the supply chain.

What this data shows — and what it doesn’t

This tracker shows the public, DOJ-announced universe of civil cyber False Claims Act settlements and the amounts DOJ chose to announce. It does not show the full scope of cyber-compliance enforcement. It captures settled matters, not sealed investigations, ongoing litigation, or interventions without a resolution. It excludes criminal cases without a civil settlement, state-only actions, private data-breach class actions, and FTC or SEC matters. And a settlement amount is the announced figure, which can understate total exposure — Hill’s is “at least” $14.75 million, and ASRC’s excludes a separate waiver of at least $877,578 in remediation costs.

One more honest caveat on counting: our totals treat the Guidehouse/Nan McKay matter as one release with two defendants, and they exclude the pre-Initiative Cisco settlement from the “17” headline (we report it separately). Change either rule and the top-line number shifts. We’ve shown the components in every table so you can recount however your own analysis requires.

Methodology: how we built and verified this tracker

We built this list from primary sources — DOJ press releases, settlement announcements, and DOJ’s annual False Claims Act materials — and verified each figure against the issuing release. For every settlement we recorded the announcement date, defendant, agency or program, allegation category, settlement amount, qui tam status, and stated relator share, and we linked the row to its DOJ source. Where secondary sources (law-firm alerts, industry year-in-reviews) reported a figure, we used them only as a cross-check, never as the primary record.

Our inclusion rule: a civil False Claims Act settlement or resolution announced after the October 6, 2021 launch of the Initiative, where the DOJ release ties the matter to cybersecurity requirements, cybersecurity products or services, cybersecurity representations, secure hosting, or cyber incident and reporting obligations. We count at the release level and note multiple defendants inside a matter. We treat “at least” amounts as floors and do not add separately announced waivers into the settlement total. We include the 2019 Cisco settlement as clearly labeled historical context because it is widely recognized as the first cyber False Claims Act settlement, but we exclude it from Initiative-era totals; its amount combines a federal share and a multistate share, the latter confirmed by the New York Attorney General.

Two verification steps gave us confidence in the aggregates. First, adding Hill ASC reconciled our fiscal-year 2025 total to DOJ’s own “over $52 million in nine settlements.” Second, our calendar-2025 whistleblower shares summed to $4,529,541, matching an independently reported 2025 total to the dollar. We re-verify the tracker on the date shown at the top of the page and after each new DOJ cyber settlement and each annual DOJ False Claims Act report.

The Defense Compliance Report is an independent trade publication covering CMMC 2.0 and Defense Industrial Base compliance. This page is an independent reference resource and is not affiliated with the Department of Justice, the Department of Defense, DCMA DIBCAC, NIST, the Cyber AB, or any government agency. It is educational research, not legal advice; contractors facing potential False Claims Act exposure should consult qualified counsel.

Frequently asked questions

How many cyber False Claims Act settlements have there been?
At least 17 cybersecurity-related civil False Claims Act settlements since the DOJ launched its Civil Cyber-Fraud Initiative on October 6, 2021, totaling at least $82,228,588 through June 18, 2026. Counting the pre-Initiative Cisco settlement (2019), the total is 18 matters and roughly $90.8 million.
What is the largest cyber False Claims Act settlement?
Hill ASC Inc. (Hill Associates), at least $14.75 million, announced July 14, 2025 — a GSA schedule case involving cybersecurity services the company wasn’t approved to bill. The largest defense-related settlement is Health Net Federal Services and Centene at $11,253,400 (TRICARE), and the largest explicit NIST/DFARS settlement is Raytheon / RTX / Nightwing at $8,400,000.
What was the first cyber False Claims Act settlement?
Cisco Systems’ $8.6 million settlement on July 31, 2019 is generally recognized as the first. The first settlement under DOJ’s Civil Cyber-Fraud Initiative was Comprehensive Health Services, $930,000, on March 8, 2022.
Why do DOJ and law firms report different settlement counts?
Mostly the date window. DOJ’s fiscal-year 2025 count is nine settlements ($52,985,122); a calendar-year 2025 count is eight ($51,849,634). The two windows swap the October 2024 settlements (ASRC Federal and Penn State) for the December 2025 Swiss Automation settlement.
Which cases involved NIST SP 800-171 or SPRS scores?
Seven turned on the explicit defense cybersecurity stack: MORSECORP, Raytheon/RTX/Nightwing, Aero Turbine/Gallant, Georgia Tech, Swiss Automation, LOGZONE, and Penn State — about $17.8 million combined.
How much have cyber FCA whistleblowers received?
Across settlements where DOJ stated a relator share, whistleblowers were awarded a combined $9,838,291. The largest single share was $2,610,000 (Aerojet Rocketdyne).
Does a settlement mean the defendant admitted liability?
No. In each of these matters the claims were allegations only, and there was no determination of liability. A few settlements included specific admissions of fact (for example, the ERAP matter and MORSECORP), but a settlement is not a finding of guilt.
Do these cases require a data breach?
No. Thirteen of the 17 Initiative-era matters involved no alleged breach; liability is based on the misrepresentation — a false certification, an inaccurate SPRS score, or a claim submitted while knowingly noncompliant.

How to cite this page

Suggested citation:

The Defense Compliance Report Editorial Team. “Cyber False Claims Act Settlements: The Complete DOJ Tracker (2021–2026).” The Defense Compliance Report. Last verified . https://thedefensecompliancereport.com/research/cyber-false-claims-act-settlements/

Figures on this page are compiled from U.S. Department of Justice press releases; each settlement in the tracker links to its primary source.


Last verified: · Compiled by The Defense Compliance Report editorial team from U.S. Department of Justice primary sources.