Skip to Main Content

Parker Poe

Keeping you informed

Recent DOJ Settlements Highlight Risks for Subcontractors Handling Sensitive Government Information

    Client Alerts
  • November 05, 2025

On September 30, the U.S. Department of Justice (DOJ) announced a $875,000 settlement with a university over failures to comply with the data security obligations in certain contracts with the Air Force and the Defense Advanced Research Projects Agency (DARPA). This announcement, along with several other recent settlement announcements by the DOJ and its Civil-Cyber Fraud Initiative, highlights the contract compliance risks for government contractors and subcontractors who handle sensitive government information and yet fail to comply with the federal government’s cybersecurity requirements.  

The university’s case and several like it involve compliance with the requirements of DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting). This DFARS clause is a federal regulation that establishes minimum standards for how defense contractors and subcontractors must protect sensitive government information and report cybersecurity incidents to the federal government. For example, the regulation requires that contractors processing government information within their own systems must provide adequate security on covered contractor information systems by implementing security controls from the National Institute of Standards and Technology (NIST) SP 800-171. These and other requirements must be flowed to subcontractors providing operationally critical support or whose performance involves covered defense information.

The Department of Justice’s $875,000 settlement in the university’s case resolved a series of claims alleging that it violated these and other requirements by failing to install, update, or run anti-virus or anti-malware tools on desktops, laptops, servers, and networks used to conduct sensitive cyber-defense research, failing to maintain a system security plan as required by university contracts, and submitting a false summary level cybersecurity assessment score to the Department of Defense (DOD). 

What is notable about the recent DOJ settlement is that the university’s case was initiated as a qui tam whistleblower action by relators who were senior members of the cybersecurity team and who, according to the complaint, appear to have tried to raise awareness of the compliance concerns to the university. While the university’s settlement is the most recent in a series of recent settlements reaching six-, seven-, and even eight-figure dollar amounts, others were also initiated by relators who were senior technology leaders. For example, in May 2025, the DOJ settled with MORSE Corp Inc. for $4.6 million in a case initiated by a qui tam relator who was the head of security and facility security officer for the defendant company’s headquarters in Cambridge, Massachusetts. Likewise, a May 2025 settlement for $8.6 million with Raytheon was initiated by a relator who was formerly the company’s director of engineering.  

Key Takeaways for Contractors and Subcontractors

The case involving the university and other recent cases highlight the importance for contractors and subcontractors of fully complying with the cybersecurity requirements in government contracts. Some important takeaways to consider are:

  • Federal contractors and subcontractors should recognize that the federal government’s insistence on compliance with cybersecurity requirements is likely to increase over time.  
     
  • The DOJ’s Civil Cyber-Fraud Initiative’s charter is broad, and addresses cybersecurity-related fraud by government contractors and grant recipients. Accordingly, companies receiving federal awards should be diligent in keeping up with and complying with contract requirements in this area.
     
  • Cybersecurity requirements can be found in various places, such as the terms of the agreement, terms of agency supplements, agency standard terms and conditions, FAQs, and elsewhere.  
     
  • Contractors that comply with DOD cybersecurity rules such as DFARS 252.204-7012 or the final rule implementing the Cybersecurity Maturity Model Certification program requirements for DOD solicitations and contracts should not assume that all federal cybersecurity requirements have been addressed. Other agencies, such as the Department of Homeland Security (DHS) and DOJ, have their own rules that should be reviewed to determine whether and to what extent they apply.
     
  • Federal contractors should understand that new cybersecurity rules are in process and stay informed as changes are put in place. Click here to read the proposed Federal Acquisition Regulation on Controlled Unclassified Information
     
  • Companies should resist the temptation to cut corners, or assume compliance, but should instead task their technology and contract management teams with inventorying and understanding the applicable cybersecurity compliance obligations and what is necessary to comply with them. Engage outside counsel for support, as necessary.  
     
  • Finally, contractors and subcontractors should remember that their own employees are incentivized to monitor and report on compliance with federal regulations, including those related to cybersecurity compliance.    

Click here to read our prior alert on the Department of Defense issuing a final rule implementing contractual requirements related to cybersecurity.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.

×
By using this website, you agree to our use of cookies.