On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts. The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information. The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.Continue Reading From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
Jessica Chao
Hardening Software Security: DOJ’s Civil Cyber Fraud Settlements Continue to Illumina[te] the Importance of Cybersecurity
By Nkechi Kanu, Kate Growley, Brian Tully McLaughlin, Michael G. Gruden, CIPP/G, Jessica Chao & Jasmine Masri on
Posted in FCA, Government Contracts
On July 31, 2025, the Department of Justice (DOJ) announced that Illumina, Inc. will pay $9.8 million to resolve allegations that it violated the False Claims Act (FCA) by selling genomic sequencing systems with software containing cybersecurity vulnerabilities to federal agencies. This is the first FCA settlement involving claims that a medical manufacturer failed to incorporate adequate product cybersecurity into its software design and development.Continue Reading Hardening Software Security: DOJ’s Civil Cyber Fraud Settlements Continue to Illumina[te] the Importance of Cybersecurity
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
By Nkechi Kanu, Brian Tully McLaughlin, Stephen M. Byers, Jessica Chao, Jacob Harrison & Jasmine Masri on
Posted in Cybersecurity, Government Contracts
On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.Continue Reading For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
By Kate Growley, Caitlyn Weeks, Michael G. Gruden, CIPP/G, Dan Wolff, Nkechi Kanu, Jessica Chao & Jacob Harrison on
Posted in Cybersecurity, Government Contracts
On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.Continue Reading Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
By Michael G. Gruden, CIPP/G, Dan Wolff, Nkechi Kanu, Jessica Chao, Kate Growley & Jacob Harrison on
Posted in Cybersecurity, Government Contracts
Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
By Nkechi Kanu, Brian Tully McLaughlin, Jessica Chao, Jacob Harrison, Jennie Wang VonCannon & Stephen M. Byers on
Posted in Cybersecurity, Government Contracts
On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA). The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.Continue Reading Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
By Michael G. Gruden, CIPP/G, Jacob Harrison, Nkechi Kanu, Sarah Burgart, Alexis Ward & Jessica Chao on
Posted in Uncategorized
On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] Continue Reading Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative
By Nkechi Kanu, Brian Tully McLaughlin, Jennie Wang VonCannon & Jessica Chao on
Posted in Cybersecurity, Government Contracts
On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities: the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud. This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).Continue Reading Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative
No End “Insight” for DOJ’s Civil Cyber-Fraud Initiative
By Nkechi Kanu, Brian Tully McLaughlin, Jessica Chao, Jacob Harrison & Jennie Wang VonCannon on
Posted in False Claims, Government Contracts
On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services. Although contracts with state agencies generally fall outside the FCA’s ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA’s scope. Continue Reading No End “Insight” for DOJ’s Civil Cyber-Fraud Initiative