The Justice Department recently resolved several investigations into federal contractors’ cybersecurity requirements as part of the federal government’s Civil Cyber-Fraud Initiative. The initiative, first announced in 2021, ushered in the DOJ’s efforts to pursue cybersecurity-related fraud by government contractors and grant recipients pursuant to the False Claims Act. Since then, the DOJ has publicly announced approximately 15 settlements against federal contractors, with the DOJ undoubtedly conducting even more investigations outside of the public’s view.

As an initial matter, these latest settlements signal that the new administration has every intention of continuing to prioritize government contractors’ cybersecurity practices and combating new and emerging cyber threats to the security of sensitive government information and critical systems. These settlements also coincide with the lead up to the Nov. 10 effective date of the Defense Department’s final rule amending the Defense Federal Acquisition Regulation Supplement, which incorporates the standards of the Cybersecurity Maturity Model Certification.

Key DOJ cyber-fraud decisions

The first of these four recent DOJ settlements was announced in July 2025, and resulted in Hill Associates agreeing to pay the United States a minimum of $14.75 million. In this case, Hill Associates provided certain IT services to the General Services Administration. According to the DOJ’s allegations, Hill Associates had not passed the technical evaluations required by GSA for a contractor to offer certain highly adaptive cybersecurity services to government customers. Nevertheless, the contractor submitted claims charging the government for such cybersecurity services, which the DOJ alleged violated the FCA.

The second settlement, United States ex. rel. Lenore v. Illumina Inc., was announced later in July 2025, and resulted in Illumina agreeing to pay $9.8 million — albeit with Illumina denying the DOJ’s allegations. According to the DOJ, Illumina violated the FCA by selling federal agencies, including the departments of Health and Human Services, Homeland Security and Agriculture, certain genomic sequencing systems that contained cybersecurity vulnerabilities. Specifically, the DOJ alleged that with respect to the cybersecurity of its product, Illumina: (1) falsely represented that its software and systems adhered to cybersecurity standards, including standards of the International Organization for Standardization and National Institute of Standards and Technology; (2) knowingly failed to incorporate product cybersecurity in its software design, development, installation and on-market monitoring; (3) failed to properly support and resource personnel, systems and processes tasked with product security; and (4) failed to adequately correct design features that introduced cybersecurity vulnerabilities.

That same day, the DOJ announced its third settlement, which was with Aero Turbine Inc., and Gallant Capital Partners, LLC (collectively, “Aero”), and resulted in a $1.75 million settlement. This settlement resolved the DOJ’s allegations that Aero violated the FCA by knowingly failing to comply with the cybersecurity requirements of its contract with the Department of the Air Force. Pursuant to the contract, Aero was required to implement the security requirements outlined by NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” but failed to fully do so. This included failing to control the flow of and limit unauthorized access to sensitive defense information when it provided an unauthorized Egypt-based software company and its personnel with files containing sensitive Defense information.

The fourth and latest DOJ settlement was announced in Sept. 2025, and resolved the DOJ’s FCA lawsuit against the Georgia Tech Research Corporation. As part of the settlement, GRTC agreed to pay $875,000 to resolve allegations resulting from a whistleblower complaint that it failed to meet the cybersecurity requirements in its DoD contracts. Specifically, the DOJ alleged that until December 2021, the contractor failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks while conducting sensitive cyber-defense research for the DoD. The DOJ further alleged that the contractor did not have a system security plan setting out cybersecurity controls, as required by the government contract. Lastly, the DOJ alleged that the contractor submitted a false summary level cybersecurity assessment score of 98 to the DoD, with the score being premised on a “fictitious” environment, and did not apply to any system being used to process, store or transmit sensitive Defense information.

Takeaways for federal contractors

These recent enforcement actions provide valuable guidance for federal contractors.

• DOJ has explicitly stated that cyber fraud can exist regardless of whether a federal contractor experienced a cyber breach.
• DOJ is focused on several practices to support allegations of cyber fraud, including a federal contractor’s cybersecurity practices during product development and deployment, as well as contractors’ statements regarding assessment scores and underlying representations.
• DOJ takes whistleblower complaints seriously, with several of these actions stemming from complaints by federal contractors’ former employees.
• To mitigate these risks, federal contractors should ensure that they understand and operationalize their contractual obligations, particularly with respect to the new DFARS obligations.
• Federal contractors would be well advised to:
  • (1) review and understand their cybersecurity contractional obligations;
  • (2) develop processes to work with the appropriate internal teams (information security, information technology, etc.) to ensure that contractual obligations have been appropriately implemented; and
  • (3) develop processes to monitor compliance with the contractual obligations on an ongoing basis.

Joshua Mullen, Luke Cass, Christopher Lockwood and Tyler Bridegan are partners at Womble Bond Dickinson (US) LLP.

The post Cybersecurity in focus: DOJ aggressively investigating contractors’ cybersecurity practices first appeared on Federal News Network.

© Getty Images/iStockphoto/maxkabakov

The United States Justice Department has seized a web domain linked to a scam compound in Burma that ran cryptocurrency investment scams. U.S. authorities have shut down the domain tickmilleas.com, which posed as a trading platform but was actually part…

Two Russian nationals have been charged with running a massive money laundering network that processed billions through cryptocurrency exchanges, the U.S. Department of Justice (DOJ) announced. These exchanges, including Cryptex and Joker’s Stash, enabled criminals to bypass regulations and funnel funds from fraud, ransomware, and darknet activities. U.S. authorities, in collaboration with international law enforcement, […]

A Nigerian national has been sentenced to five years in federal prison for his role in a massive darknet fraud scheme that intended to cause over $6 million in losses, according to the U.S. Department of Justice (DOJ). Using various online aliases, Kaura led a global network selling stolen payment card data, using cryptocurrencies like […]

According to the U.S. Department of Justice (DOJ), the operator of the darknet marketplace Incognito was apprehended at John F. Kennedy Airport on May 18. Law enforcement officials claim Rui-Siang Lin allegedly constructed the DNM and facilitated the sale of over $100 million worth of illegal drugs through the platform. Federal Authorities Nab Alleged Darknet […]

Law enforcement authorities from over a dozen countries in Europe and North America have taken part in disrupting the activities of the Hive ransomware group, the U.S. Justice Department and Europol announced. Hive is believed to have targeted various organizations worldwide in the past couple of years, often extorting payments in cryptocurrency.

Captured Decryption Keys Helped Hive Victims Avoid Paying $130 Million in Ransom

Ransomware network Hive, which has had around 1,500 victims in more than 80 countries, has been hit in a months-long disruption campaign, the U.S. Department of Justice (DOJ) and the European Union Agency for Law Enforcement Cooperation (Europol) revealed. A total of 13 nations participated in the operation, including EU member states, the U.K. and Canada.

Hive has been identified as a major cybersecurity threat as the ransomware has been used by affiliated actors to compromise and encrypt data and computer systems of government facilities, oil multinationals, IT and telecom companies in the EU and U.S., Europol said. Hospitals, schools, financial firms, and critical infrastructure have been targeted, the DOJ noted.

It has been one of the most prolific ransomware strains, Chainalysis pointed out, which has collected at least $100 million from victims since its launch in 2021. A recent report by the blockchain forensics company unveiled that revenue from such attacks has decreased last year, with a growing number of affected organizations refusing to pay the demanded ransoms.

According to the announcements by the law enforcement authorities, the U.S. Federal Bureau of Investigation (FBI) penetrated Hive’s computers in July 2022 and captured its decryption keys, providing them to victims around the world which prevented them from paying another $130 million.

Working with the German Federal Police and the Dutch High Tech Crime Unit, the Bureau has now seized control over the servers and websites that Hive used to communicate with its members and the victims, including the darknet domain where the stolen data was sometimes posted. FBI Director Christopher Wray was quoted as stating:

The coordinated disruption of Hive’s computer networks … shows what we can accomplish by combining a relentless search for useful technical information to share with victims.

The Hive ransomware was created, maintained and updated by developers while being employed by affiliates in a ‘ransomware-as-a-service’ (RaaS) double extortion model, Europol explained. The affiliates would initially copy the data and then encrypt the files before asking for a ransom to decrypt the information and not publish it on the leak site.

The attackers exploited various vulnerabilities and used a number of methods, including single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols as well as phishing emails with malicious attachments, the law enforcement agencies detailed.

Do you expect police authorities around the world to dismantle more ransomware networks in the near future? Tell us in the comments section below.

Unfortunately, you've probably already heard the cliche that "cybercrime abhors a vacuum"...