DOJ Settlement Underscores Cybersecurity Risks for Government Contractors

In a client alert by attorneys at Parker Poe, the authors detail how the US Department of Justice (DOJ) reached an $875,000 settlement with a university over alleged failures to meet cybersecurity obligations in contracts with the US Air Force and the Defense Advanced Research Projects Agency (DARPA). This case highlights the growing enforcement risk for government contractors and subcontractors under the DOJ’s Civil Cyber-Fraud Initiative, emphasizing the importance of government contractors ensuring compliance with cybersecurity requirements. 

The university was accused of violating requirements under the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which mandates safeguards for covered defense information and the reporting of cyber incidents. According to the DOJ, the university allegedly failed to maintain a system security plan, did not properly use anti-malware tools, and submitted an inaccurate cybersecurity assessment to the US Department of Defense (DOD).

The settlement was initiated through a qui tam whistleblower action by a senior cybersecurity team member, mirroring similar DOJ actions against other defense contractors, including a $4.6 million settlement with Morse Corp. and an $8.6 million settlement with Raytheon, both in 2025. These cases reflect a clear pattern: insiders in key security roles are increasingly bringing forward False Claims Act allegations related to cybersecurity compliance.

For compliance officers, Parker Poe’s analysis serves as a warning that enforcement attention on contractor cybersecurity continues to expand. Contractors and subcontractors should actively review obligations under DFARS, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, and related federal standards. They should also anticipate that agencies like the US Department of Homeland Security (DHS) and the DOJ may impose their own cybersecurity requirements. Vigilance in documentation, risk management, and internal reporting processes remains essential for any organization handling sensitive federal information.