Photo of Nkechi KanuPhoto of Kate GrowleyPhoto of Brian Tully McLaughlinPhoto of Jasmine Masri

On June 18, 2026, the U.S. Department of Justice (DOJ) announced that LOGZONE Inc., a defense contractor based in Huntsville, Alabama, agreed to pay $507,144 to resolve allegations that it violated the False Claims Act (FCA) by knowingly failing to satisfy cybersecurity requirements in its contracts with the U.S. Department of the Navy. The resolution is the latest action under DOJ’s Civil Cyber-Fraud Initiative and the first publicly reported settlement this fiscal year. It underscores a continued enforcement posture in which noncompliance with contractual cybersecurity obligations serves as the basis for potential FCA liability. Notably, this settlement did not arise from a whistleblower complaint but from a government-initiated assessment, signaling to contractors that proactive government assessments can pose enforcement consequences.

Background and Allegations

LOGZONE is a logistics services provider that was awarded two successive Navy contracts, in March 2021 and November 2022, to perform logistical, inventory, and facilities support services for the Naval Oceanographic Command Property Management Program (together, the NAVOCEANO Contracts). Through at least March 2025, LOGZONE received approximately $682,000 in payments under these contracts.

Both contracts incorporated Defense Federal Acquisition Regulation Supplement (DFARS) clauses: (i) 252.204-7012, which requires U.S. Department of Defense (DoD) contractors to provide adequate security on all covered contractor information systems by implementing the controls set forth in NIST Special Publication 800-171; and (ii) 252.204-7019 and 252.204-7020, which require contractors to post a current summary-level NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS) and cooperate with higher confidence assessments conducted at the discretion of the Defense Contract Management Agency (DCMA).

In October 2021, LOGZONE submitted a self-assessed SPRS score of 110 — a perfect score indicating complete implementation of all required security controls. However, when the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) of the DCMA completed an independent assessment of LOGZONE’s actual controls in February 2024, LOGZONE received a score of -170, placing it near the low end of the possible scoring range.

The government alleged that, from May 2021 through March 2025, LOGZONE failed to fully implement required NIST SP 800-171 security controls across the information systems it used to process, store, or transmit covered defense information — and that it submitted invoices to the Navy throughout that period with knowledge of its noncompliance. Under the terms of the agreement, LOGZONE is required to pay $507,144, of which $253,572 constitutes restitution.  

Government-Driven Investigation

Unlike recent Civil Cyber-Fraud Initiative settlements driven by whistleblowers (e.g., Georgia Tech Research CorporationMORSECORP Inc.), the LOGZONE investigation was triggered by the government’s own assessment process. DOJ identified LOGZONE’s alleged compliance failures as a result of DCMA’s DIBCAC assessment that produced the -170 score — demonstrating that existing audit mechanisms now serve as independent FCA investigative tools.

Restitution Exceeds One-Third of Total Contract Payments

While the $507,144 settlement is modest relative to several settlements in 2025, the NAVOCEANO Contracts generated only approximately $682,000 in total payments during the relevant period. The percentage of the restitution when compared to the contract payments LOGZONE received during the period of alleged noncompliance exceeds one-third of the payments and is significant, particularly because LOGZONE did not provide cybersecurity services or products to its federal customers. Contractors of all sizes should be aware that their FCA exposure in a cybersecurity enforcement action can be a large proportion of government payments received under relevant contracts while those failures persisted.

Key Takeaways

  1. DIBCAC assessments can carry direct enforcement consequences. The LOGZONE matter illustrates that DCMA’s DIBCAC assessments are not merely compliance checkpoints; they can serve as the evidentiary foundation for FCA investigations and civil enforcement actions.
  2. The gap between self-reported and third-party assessed SPRS scores remains a key area of FCA liability risk. The delta between LOGZONE’s self-assessed score of 110 and its DIBCAC-assessed score of -170 is among the largest in public enforcement actions involving cybersecurity noncompliance. Contractors should rigorously validate self-assessment methodologies and ensure that scores reflect actual implementation rather than planned or aspirational states.
  3. The settlement amount is significant when measured against actual contract payments. With restitution alone exceeding one-third of LOGZONE’s total contract receipts, this resolution illustrates that a monetary resolution can amount to a substantial portion of the revenue a contractor earned. Small and mid-sized contractors are not insulated from significant proportional exposure simply because their contract values are lower.
  4. NIST SP 800-171 compliance is critical for DoD contractors. Enforcement actions continue to arise from alleged foundational gaps and noncompliance with DFARS 252.204-7012, 252.204-7019, and 252.204-7020. With the recently finalized Cybersecurity Maturity Model Certification (CMMC) program adding third-party verification, contractors now face an increasingly varied compliance and enforcement environment.
  5. Multi-agency coordination signals sustained enforcement focus. DOJ coordinated with the Department of the Navy’s Office of the General Counsel, the Naval Criminal Investigative Service (NCIS), the Army Criminal Investigation Division (CID), and DCMA in resolving this matter, and the settlement was announced in connection with the administration’s Task Force to Eliminate Fraud and the National Fraud Enforcement Division, underscoring that cybersecurity FCA enforcement enjoys broad interagency support and is unlikely to recede in the near term.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Brian Tully McLaughlin Brian Tully McLaughlin

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a…

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a variety of complex claims, disputes, and recovery matters. Tully’s False Claims Act experience spans procurement fraud, healthcare fraud, defense industry fraud, and more. He conducts internal investigations and represents clients in government investigations who are facing fraud or False Claims Act allegations. Tully has successfully litigated False Claims Act cases through trial and appeal, both those brought by whistleblowers / qui tam relators and the Department of Justice alike. He also focuses on affirmative claims recovery matters, analyzing potential claims and changes, counseling clients, and representing government contractors, including subcontractors, in claims and disputes proceedings before administrative boards of contract appeals and the Court of Federal Claims, as well as in international arbitration. His claims recovery experience includes unprecedented damages and fee awards. Tully has appeared and tried cases before judges and juries in federal district courts, state courts, and administrative boards of contract appeals, and he has argued successful appeals before the D.C. Circuit, the Federal Circuit, and the Fourth and Seventh Circuits.

Photo of Jasmine Masri Jasmine Masri

Jasmine Masri is an associate in Crowell & Moring’s Government Contracts and International Trade groups. Jasmine focuses her practice on global compliance issues, regulatory enforcement matters, and government investigations. Through her practice, Jasmine provides counsel on a variety of matters at the intersection…

Jasmine Masri is an associate in Crowell & Moring’s Government Contracts and International Trade groups. Jasmine focuses her practice on global compliance issues, regulatory enforcement matters, and government investigations. Through her practice, Jasmine provides counsel on a variety of matters at the intersection of government contracts and international trade, including cross-border government procurement, economic sanctions, and export controls.