Cyber Risk, Real Consequences: DOJ Steps Up Enforcement

Government efforts to enforce cybersecurity control requirements have moved forward in the opening months of the Trump administration. Regardless of the changes coming to other areas of contracting and the Federal Acquisition Regulation (FAR), protecting sensitive information in contractor IT systems remains a priority.

In early 2025, the U.S. Department of Justice (DOJ) announced False Claims Act (FCA) settlements with Department of Defense (DOD) contractors for alleged misrepresentations of compliance with cybersecurity requirements. These are the latest under DOJ’s Civil Cyber-Fraud Initiative (CCFI), which aims to address emerging cyber threats. In May 2025, DOJ’s Criminal Division released a Memorandum announcing that DOJ “will prioritize investigating and prosecuting” cases in “high-impact areas.” DOJ highlighted “federal program and procurement fraud,” and is modifying its whistleblower program to include “corporate procurement fraud” to demonstrate DOJ’s focus on this priority area.

Meanwhile, DOD is on course to implement the enhanced Cybersecurity Maturity Model Certification (CMMC) 2.0 Program, which will require certification of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) safeguards. The final rule establishing the CMMC Program became effective in December 2024, outlining certification requirements for defense contractors and subcontractors. The CMMC Program final rule also formalized third-party assessment organizations (C3PAOs) and expanded the role of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DOD is following a phased approach for implementing CMMC:

• Phase 1: Level 1 Self-Assessment (FCI)
  • Level 2 Self-Assessment (non-defense CUI)
  • Level 2 C3PAO (DOD discretion)
• Phase 2: Level 2 C3PAO (defense CUI)
  • Level 3 DIBCAC (DOD discretion)
• Phase 3: Level 2 C3PAO (defense CUI)
  • Level 3 DIBCAC
• Phase 4: Full Implementation

Phase 1 will begin as of the effective date for the revised Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, “Cybersecurity Maturity Model Certification Requirements,” which is anticipated in mid-2025.

DOJ Emphasizes Cybersecurity Enforcement – Including for Small Businesses

In March 2025, DOJ publicized a CCFI cyber fraud case brought against a small business. This Massachusetts technology company’s DOD contracts incorporated CUI safeguarding requirements. The contractor agreed to pay $4.6 million based on failures to:

• Ensure that a third-party software provider hosting its emails complied with contract requirements for cloud service providers and met FedRAMP Moderate equivalency.
• Maintain a consolidated written plan for each of its covered information systems.
• Submit an accurate Supplier Performance Risk System (SPRS) self-assessment score or update the score after learning it was inaccurate.
• Adequately implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 cybersecurity requirements.

The NIST SP 800-171 framework describes the series of control requirements. This contractor gave itself a SPRS score of 104, but the next year a third party assessed a score of negative 142. The contractor did not timely update its SPRS entry. The risk of overly generous self-assessments and making misrepresentations is clear.

Most recently, May 2025, a major defense contractor paid $8.4 million to settle FCA claims based on cybersecurity issues. A qui tam “whistleblower” alleged the contractor failed to implement NIST SP 800-171 for its computer network, in particular the requirement to develop a “system security plan.” The government had intervened to pursue to this case, stating that the contractor submitted false claims because compliance with contract requirements, including cybersecurity standards, was a condition of payment.

Along with DOD, civilian agencies require CUI, FCI, and privacy information safeguards. DOJ’s enforcement targets range from healthcare support services and IT contractors, to universities and telecommunications providers. Contractors (and their subcontractors) should anticipate the possibility of enforcement regardless of sector, size, or agency customer.

DOJ has said FCA actions will “extract very hefty” penalties from those entrusted to work on sensitive government systems who are failing to follow cybersecurity standards. While the Trump administration has deprioritized many regulatory areas, the CCFI enforcement initiative remains a clear exception.

CMMC in Contracts Moving Forward

The CMMC Program marks a significant development for corporate compliance programs to take into account. The final Program rule creates three certification levels (and “Conditional” or “Final” status). An entity seeking Level 1 needs to self-assess its implementation of control a limited number of NIST SP 800-171 requirements, but only will be eligible for contracts or subcontracts involving FCI. Processing, storing, or transmitting CUI requires at least a Level 2 assessment, including all NIST SP 800-171 requirements, and Level 3 adds enhanced control requirements.

Eligibility for most DOD prime contracts will require Level 2 (C3PAO) certification. DOD will no longer entrust defense CUI to self-assessed contractors. Although the required cybersecurity standards may seem challenging, many items are familiar measures that private companies typically use to protect information systems and data. Once they have completed the process, contractors will be required to submit an annual affirmation. Companies thus remain responsible for their cybersecurity representations and subject to the ongoing risk of CCFI enforcement.

Shortly after the CMMC Program regulations (32 CFR part 170) became effective in December 2024, Cyber AB, responsible for accreditation of C3PAOs (https://cyberab.org/faq), became operational in January 2025. Whether Executive Order 14275 (April 18, 2025), “Restoring Common Sense to Federal Procurement,” directing an overhaul of the Federal Acquisition Regulation (FAR) system, will have an impact on CMMC’s final implementation remains to be seen. Because the EO aims to “protect economic or national security interests,” the CMMC Program very likely will carry forward. DoD’s current acting Chief Information Officer was the original architect of the CMMC program and remains a lead proponent.

What to Do?

Although the final DFARS rule has not been issued, adopting a “wait-and-see” approach may create uncomfortably short timelines to qualify for contract and subcontract awards. An estimated 80,000 contractors need CMMC assessments, and only 70 accredited C3PAOs are currently available. Instead, a confidential gap assessment would be a valuable first step to assessing compliance risks while waiting for C3PAO availability.

Disclaimer

This Client Alert is informational only and does not replace legal counsel, and you are encouraged to contact a Dickinson Wright government contracts attorney to learn how federal laws apply to you and your business. Please note that this publication is not a comprehensive analysis of these laws and is not intended to analyze laws specific to any individual client circumstances.