On May 19, 2025, Deputy Attorney General Todd Blanche issued a Memorandum creating the Civil Rights Fraud Initiative that will “utilize the False Claims Act to investigate and . . . pursue claims against any recipient of federal funds that knowingly violates federal civil rights laws.” According to the Memorandum, though racial discrimination has “always been illegal,” the Administration posits that “many corporations and schools continue to adhere to racist policies and preferences—albeit camouflaged with cosmetic changes that disguise their discriminatory nature.” In an effort to prevent federal funds from being used in connection with or support of these purportedly racist policies and preferences, the Initiative will wield the power of the False Claims Act, the government’s most powerful tool to fight fraud, waste, and abuse.Continue Reading DOJ’s Civil Rights Fraud Initiative Bolsters Threat of False Claims Act Enforcement Under “Anti-DEI” Executive Order

Nkechi Kanu
Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.
Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.Continue Reading For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.Continue Reading Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
FedRAMP 20x: Proposed Framework Aims To Increase Automation and Efficiency
On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. Continue Reading FedRAMP 20x: Proposed Framework Aims To Increase Automation and Efficiency
The Top FCA Developments of 2024
FY 2024 saw continued growth in False Claims Act enforcement, with a record year for new qui tam and government-initiated actions, and the highest total recovery in three years. Enforcement of pandemic-related fraud and cybersecurity noncompliance increased, and health care, procurement, and small business fraud violations were again priority areas. A groundbreaking opinion from the…
An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements
On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors. The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies. The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:Continue Reading Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA). The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.Continue Reading Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] Continue Reading Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
The Global Investigations Review Guide to Compliance
As the primary civil enforcement statute for investigating and remedying fraud in connection with United States government programs, the False Claims Act (FCA) has resulted in more than $75 billion in recoveries of government funds since 1986. The FCA imposes liability on any person or entity that knowingly submits false claims or certifications to the…