Skip to Content

New Cybersecurity Enforcement Through DOJ’s Civil Cyber-Fraud Initiative and the False Claims Act

On October 6, 2021, the Department of Justice opened up a new front in cybersecurity compliance when it announced a Civil Cyber-Fraud Initiative using the False Claims Act and other civil enforcement tools against government contractors and grant recipients.

This raises the specter not just of DOJ enforcement, but more numerous claims by private actors — specifically, whistleblowers or qui tam relators seeking a share of the government’s recovery. For example, in United States ex rel. Markus v. Aerojet Rocketdyne Holdings Inc., the relator — a former employee of the defendant — brought two claims of fraud under the False Claims Act. The relator alleged that the “defendants fraudulently entered into contracts with the federal government despite knowing that they did not meet the minimum [cybersecurity] standards required to be awarded a government contract.” The court declined to dismiss the False Claims Act claims, finding that the relator had “plausibly pled that defendants’ alleged failure to fully disclose its noncompliance [with relevant DOD and NASA regulations] was material to the government’s decision to enter into and pay on the relevant contracts.” And the potential costs in a case that might stem from the initiative are significant, as the False Claims Act also allows for triple damages.

The DOJ’s Fraud Section plans to target government contractors and grant recipients who (1) knowingly provide deficient cybersecurity products or services; (2) knowingly misrepresent their cybersecurity practices or protocols; or (3) knowingly violate obligations to monitor and report cybersecurity incidents and breaches — in other words, bad cybersecurity, misrepresentations about cybersecurity, and failure to report as required by statute, regulation, or contract.

According to the government, the Civil Cyber-Fraud Initiative was formed in direct response to the attitude of many companies that “have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.” Accordingly, the DOJ plans to use its “civil enforcement tools” to identify government contractors who “fail to follow required cybersecurity standards.”

The civil initiative does not preclude parallel criminal enforcement actions. For example, 18 U.S.C. § 287 criminalizes the making of false, fictitious, or fraudulent claims upon the United States or conspiring to do so. It is not uncommon for those U.S. attorney’s offices that intervene in False Claims Act cases to assign criminal AUSAs to parallel investigations, so contractors and grant recipients who face a False Claims Act case or investigation should be aware of the possibility as they engage with the government.


  • Review your cybersecurity practices and protocols, including related regulations and your government contracts, to make sure your practices comply with federal law.
    • For example, FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, requires contractors to use certain "basic" security controls, such as limiting access, authenticating users, and identifying system flaws in a "timely manner.”
  • Review your obligations under the False Claims Act and its state law equivalents.
  • If you are faced with a civil False Claims Act case, be aware of the possibility that there may be a parallel criminal action.
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.