Cybersecurity and Government Contracts: What You Should Know as a Whistleblower
If you’ve worked for a company that holds federal contracts, especially in tech, healthcare, or defense, you might be surprised to learn that cybersecurity failures can be considered fraud against the government. The U.S. Department of Justice (DOJ) is actively investigating and settling cases where companies misrepresented their cybersecurity practices.
This growing area of enforcement is part of the DOJ’s Civil Cyber-Fraud Initiative (CCFI), which focuses on holding contractors accountable when they fail to meet cybersecurity standards required by their government contracts.
How Cybersecurity Can Become Fraud
When a company signs a contract with the federal government, it often agrees to follow specific cybersecurity rules, such as protecting sensitive data, reporting breaches, and using secure systems. These rules come from frameworks like:
– NIST 800-171 (for protecting controlled unclassified information),
– FedRAMP (for cloud services),
– CMMC 2.0 (for defense contractors).
If a company is dishonest about following these rules, or fails to report a breach, that can be considered a false claim under the False Claims Act.
Real Cases from 2025
Here are a few examples of recent enforcement actions:
– Penn State University Allegedly failed to follow cybersecurity rules across 15 contracts.
Settled for $1.25 million, with $250,000 awarded to the whistleblower.
– ASRC Federal Data Solutions Stored Medicare data in unencrypted screenshots.
A subcontractor’s system was compromised, but the main contractor was still held responsible.
– Hill ASC Inc. Paid $14.75 million to settle claims involving: under-qualified IT staff, failed cybersecurity evaluations, and misleading pricing and scope.
What This Means for Whistleblowers
You don’t need to be a cybersecurity expert to spot fraud. Some of the strongest cases may come from:
– Project managers who saw fake certifications,
– Billing clerks who noticed overcharges,
– Compliance officers who flagged unreported breaches.
Why This Matters Now
The government is ramping up enforcement, especially with the rollout of CMMC 2.0 for defense contractors.
If you’ve seen something suspicious, you should consider speaking with a whistleblower attorney. You could help protect taxpayer dollars, improve cybersecurity, and even receive a financial reward if the case succeeds.
This piece was written by Clark Bolton, a Whistleblower Attorney for Morgan and Morgan’s Complex Litigation Group.
