2025 was a banner year for the Department of Justice (DOJ) Civil Cyber-Fraud Initiative (the “Initiative”), which started in October 2021 and heralded the U.S. Government’s new, more vigorous approach to enforcing federal acquisition regulations. Fluet has previously written on this important initiative. Under the Initiative, the DOJ would utilize the False Claims Act (“FCA”) to go after government contractors and grant recipients that knowingly submit claims that fall short of federal cybersecurity standards. The Initiative specifically targets those government contractors and grant recipients who (1) knowingly provide deficient cybersecurity products or services, (2) knowingly misrepresent their cybersecurity practices or protocols, or (3) knowingly violate obligations to monitor and report cybersecurity incidents and breaches. Now in its fifth year, the Initiative is not only showing no sign of slowing down but is accelerating, with the DOJ announcing on January 16, 2026, that FCA settlements and judgments exceeded $6.8 billion in fiscal year 2025, the largest amount ever in a single year. This continued trend of aggressive enforcement coupled with increasing cybersecurity requirements for government contracts (see previous Fluet Insights on this), warrant close attention and has significant consequences for government contractors.
The 2025 enforcement landscape reveals five critical trends that every government contractor must understand:
- Settlement Agreement Payments Growing Dramatically: The aggregate value of the eight DOJ-announced Initiative-related cyber security settlement agreements in 2025 ($51,849,634) is 233 percent greater than the aggregate of the four 2024 settlement agreements ($15,556,722), illustrating the U.S. Government’s increasingly vigorous enforcement of the Initiative and the growing risk to government contractors whose cybersecurity compliance falls short of federal standards. Similarly, whistleblowers’ share of these settlements increased year-over-year from $2,698,750 to $4,529,541, a staggering 68 percent. The DOJ announced settlement agreements with the following government contractors in 2025:
| Entity | Settlement Amount | Whistleblower Share |
| Health Net Federal Services Inc. (“HNFS”) and Centene Corporation | $11,253,400 | N/A |
| MORSECORP Inc. | $4,600,000 | $851,000 |
| Raytheon Company, RTX Corporation, and Nightwing Group LLC | $8,400,000 | $1,512,000 |
| Hill ASC Inc. | $14,750,000 | N/A |
| Illumina Inc. | $9,800,000 | $1,900,000 |
| Aero Turbine Inc. and Gallant Capital Partners LLC | $1,750,000 | N/A |
| Georgia Tech Research Corporation | $875,000 | $201,250 |
| Swiss Automation Inc. | $421,234 | $65,291 |
- Contractors Large and Small in Crosshairs: In 2025, DOJ Civil Cyber-Fraud Initiative targets ranged from large, sophisticated entities like Raytheon, Health Net Federal Services, and Georgia Tech to smaller, less visible government contractors, illustrating the perils at all levels of the industry.
- Many Industries in the Crosshairs: It would be incorrect to be believe that only defense contractors are at risk of being swept up in DOJ’s enforcement of the Initiative; in 2025, government contractors involved in providing genomic sequencing, healthcare, and telecommunications services all reached settlement agreements with the Government, demonstrating that cybersecurity compliance has become nonnegotiable regardless of industry.
- Government Extracting Hefty Settlements: Settlement agreements announced by the DOJ this year in connection with FCA cybersecurity enforcement ranged from a low of $421,234 to a high of $14.75 million.
- Whistleblowers Playing Prominent Role: Of eight Initiative-related settlement agreements announced by DOJ in 2025, five were qui tam actions–meaning individuals, known as relators or whistleblowers, brought suits against alleged violators on behalf of the U.S. Government, at which point the U.S. Government may intervene.
For many government contractors, navigating the increased cybersecurity compliance requirements for government contracts can seem daunting. Failure to protect systems adequately risks not only costly breaches and loss to operations, but potentially civil claims and treble damages. Fortunately, however, government contractors can take steps to help avoid worst-case scenarios, including by adequately understanding compliance requirements, accurately documenting representations to the government, and, if failures occur, self-reporting, preferably with assistance of counsel, which can result in lower penalties. To be sure, these steps can be complicated, and self-reporting can be an especially fraught undertaking, but Fluet attorneys are well-equipped to guide government contractors through this process.
Government contractors should waste no time in assessing their compliance with federal cybersecurity regulations and continue to update their programs as requirements evolve. Cybersecurity compliance cannot be a check-in-the-box exercise left only to the IT professionals.
Bringing in experienced, effective legal counsel early in the process can help contractors avoid the prospect of eight-figure settlements. For questions about cybersecurity compliance, self-reporting violations, or industry best practices, contact Fluet’s Government Contracts team.
