Skip to main content
Top Button
Government Contracts, Cybersecurity and the False Claims Act Government Contracts, Cybersecurity and the False Claims Act

Government Contracts, Cybersecurity and the False Claims Act

Government contractors are subject to a number of federal cybersecurity requirements, and failure to comply with these often challenging requirements may place contractors in legal jeopardy. Although the Department of Defense (DOD) cybersecurity regulations are the most well-known, almost every federal agency now includes at least some cybersecurity requirements in their contracts. Failure to comply with the government’s contractual cybersecurity requirements can lead to poor performance ratings, breach damages, contract termination or debarment. Further, a recent federal court decision confirms that misrepresenting cybersecurity compliance in proposals or during contract performance may violate the False Claims Act (FCA). Government contractors should take note of this decision because of the significant monetary and criminal penalties associated with the FCA, and the fact that compliance with the government's requirements can be difficult to understand and implement.

The Aerojet Decision

In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., Aerojet’s former senior director of Cybersecurity, Compliance and Controls alleged Aerojet violated the FCA by knowingly mispresenting the extent of the company’s compliance with cybersecurity requirements. According to the complaint, these alleged misrepresentations fraudulently induced DOD and NASA into entering into contracts with Aerojet. In response to the complaint, Aerojet filed a motion to dismiss for failure to state a claim upon which relief can be granted. Among other things, Aerojet argued that (a) the court should dismiss the complaint, because the Department of Justice did not intervene, (b) the company had previously disclosed some non-compliance, (c) cybersecurity compliance is not a material requirement and (d) DOD does not expect contractors to fully comply with its cybersecurity regulations. 

On May 8, 2019, the court denied Aerojet’s motion to dismiss. This preliminary decision does not mean Aerojet violated the FCA. Rather, at the motion to dismiss stage, the court only looks at whether the plaintiff has alleged facts sufficient to state plausible FCA violations. Nevertheless, the Aerojet decision is significant, because it confirms what we have long suspected: a company can violate the FCA by misrepresenting its cybersecurity compliance.


Under the FCA, “relators,” i.e., private parties who file FCA complaints on behalf of the government, can personally recover up to 30 percent of applicable FCA damages and penalties. Given this financial incentive, we expect to see more FCA cybersecurity cases. Therefore, companies should closely monitor their cybersecurity compliance and carefully consider the need for any disclosures to the government. Our team regularly helps government contractors with these issues. For additional information, please contact Guillermo Christensen.

Summer associate Raisa Masud contributed to this publication.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized