Government Contracting

Earlier this year, the U.S. Department of Justice (“DOJ”) published its annual statistics on False Claims Act (“FCA”) settlements and judgments for fiscal year 2025—and reported a whopping $6.8 billion in recoveries.  Of this amount, DOJ recovered $52 million in FCA cybersecurity actions.  These actions were premised on allegations that the contractor failed to implement certain contractual cybersecurity controls during the performance of a government contract. 

In many instances, however, liability was not limited to the contractor performing the work, but instead extended to parent companies, private equity, and other successor entities.  And here’s the kicker: these successor entities were held liable even when the alleged wrongdoing (the alleged cybersecurity noncompliance) occurred before the entities’ acquisition of or investment in the contractors. 

So, what gives?  This article briefly touches on contractors’ cybersecurity obligations before examining three recent FCA cybersecurity enforcement actions that implicated a contractor’s new corporate parent; a contractor’s new and old corporate parents; and a private equity company.  This article concludes by summarizing cybersecurity due diligence considerations when buying or investing in a government contractor.   

Contractor Cybersecurity Obligations: Not New, But Newly Dangerous

Cybersecurity requirements for federal contractors are not new.  Contracting officers began including FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in contracts in 2016.  Under DFARS 252.204-7012, defense contractors were to have implemented the NIST SP 800-171 security controls by December 31, 2017. 

After realizing defense contractors were not consistently implementing these controls,^[1] DoD announced in 2020 its Cybersecurity Maturity Model Certification (“CMMC”) program designed to verify contractor compliance.  Shortly after, in 2021, DOJ launched its Civil Cyber-Fraud Initiative to utilize the FCA to pursue cybersecurity-related fraud by government contractors and grant recipients.

While the cybersecurity compliance obligations are not new, they are newly dangerous.  Since its inception, DOJ’s Civil Cyber-Fraud Initiative has settled 14 enforcement actions through fiscal year 2025, all premised on allegations that the contractor failed to implement certain contractual cybersecurity controls (e.g., as required by FAR 52.204-21 or DFARS 252.204-7012):

By submitting invoices for payment to the government under these contracts, the contractors—knowing their systems are deficient—impliedly certified compliance will all “material” contractual requirements—which include cybersecurity.

And while DoD’s CMMC program does not levy new cybersecurity requirements (for most contractors), it does require affirmations of “continuing compliance” from senior contractor employees—a requirement that all but screams “materiality” for FCA purposes. Even an honest misunderstanding of a self-report question about a company System Security Plan (“SSP”) or Plan of Action & Milestones (“POA&M”) can lead to heavy consequences.

Buying Trouble: How M&A and Private Equity Can Inherit FCA Cyber Risk

When acquiring another business, one of the first considerations is how to structure the transaction: stock purchase or asset purchase?  In a stock purchase, the buyer purchases the seller’s stock and typically assumes the seller’s liabilities.  The company continues to exist, just with different stockholders.

In an asset purchase, on the other hand, the buyer purchases all or some of the seller’s assets but does not typically assume the seller’s liabilities.  After the transaction, there is usually an “old company” and a “new company.”  The general rule is that the new company (buyer) is not responsible for the old company’s (seller’s) liabilities simply because the new company owns the old company’s assets. 

There are, of course, exceptions to this rule.  Under the doctrine of successor liability, the new company can, in certain instances, be held responsible for the wrongdoing of the old company.  One way successor liability can arise is where the new company is a “mere continuation” of the old.  A new company may be found liable for the wrongdoing of the old company if, after an asset purchase, only one meaningful company remains and there is an identity of ownership between the new and old companies.

Stock Purchases: When the Buyer Assumes the FCA Cyber Risk

From 2015 to 2018, a defense contractor allegedly failed to implement certain contractual cybersecurity requirements, including the requirement to develop an SSP.  In 2016, after the alleged wrongdoing began, a healthcare company acquired all of the issued and outstanding shares of the contractor’s corporate parent.  As part of the acquisition, the healthcare company assumed the liabilities of the contractor and its former corporate parent who failed to have an SSP in place as required by the FAR and DFARS provisions of its contract.  As a result, the healthcare company and the contractor agreed to settle the contractor’s liability under the FCA for its alleged failure to implement required cybersecurity controls.  The companies paid $11 million in the settlement. 

Successor Liability: When an Asset Purchase Doesn’t Eliminate the FCA Cyber Risk

A subsidiary of a major defense contractor performed government contracts and subcontracts that included FAR 52.204-21 and DFARS 252.204-7012 from 2015 to 2021.  In 2021, a qui tam whistleblower filed suit, alleging the subsidiary failed to implement the security controls required under the FAR and DFARS clauses—including the requirement to implement an SSP.In 2024, the subsidiary was spun off, sold, renamed, and reorganized under a new corporate parent.  The whistleblower amended their complaint.  In 2025, the subsidiary—along with its current and former corporate parents—agreed to pay $8.4 million to resolve the allegations.  The settlement agreement identifies the “new” company and its new corporate parent as the “successor in liability” as to the claims against the old company and its former corporate parent.  Thus, the corporate restructuring was insufficient to isolate the FCA risk. 

Private Equity: When Portfolio Management “Causes” False Claims

Interested in investing and advising, but not buying a defense contractor?  There is a DOJ FCA cybersecurity settlement for that too.  In our final example, involving private equity, a defense contractor performed a contract subject to DFARS 252.204-7012 from 2018 to 2020—during which the contractor allegedly failed to implement the NIST SP 800-171 security controls required by the clause.  In January 2019, a private equity company, through investment funds, obtained a controlling stake in the defense contractor. 

In June and July 2019, controlled unclassified information (“CUI”) was shared with a foreign citizen lacking authorization to receive the information—due, in part, to actions of an employee of the private equity company.  Specifically, the settlement agreement alleges that the private equity employee, in an effort to improve the contractor’s information system, shared data containing CUI related to the contractor’s Air Force contract with foreign citizens.  The defense contractor and the private equity company, after learning of the issues, made a voluntary disclosure to and cooperated with the government.  The companies agreed to jointly and severally pay $1.75 million to resolve the FCA liability.

Why the voluntary disclosure (especially the private equity company— it was not the one in privity with the government nor did it  assume the contractor’s liabilities)?  Given the private equity employee’s direct involvement in the unauthorized dissemination of CUI, DOJ likely could have argued (if the companies did not voluntarily disclose) that the private equity company “caused” the contractor to submit false or fraudulent claims to the government.[2]  That said, DOJ has pursued FCA enforcement actions against private equity firms before—and is likely to do so again. 

Diligence Considerations: How to Identify and Mitigate FCA Cyber Risk in M&A

So, what to do?  A surge in the U.S. government defense budget has increased interest in defense investment, mergers, and acquisitions, with buyers (justifiably) asking how to meaningfully evaluate a seller’s federal cybersecurity compliance. Requests should be tailored to the seller’s current federal contracts, but some suggestions include:

• Copies of policies, processes, and procedures for identifying, marking, safeguarding, and disseminating FCI and CUI.
• Copies of cybersecurity policies, SSP(s), POA&Ms, incident response plans, incident reporting logs, and forensic data retention procedures.
• Descriptions of any cyber incidents and copies of any cyber incident reporting.
• NIST SP 800-171 DoD assessment scores and assessment documentation, including screenshots or printouts of information posted in the Supplier Performance Risk System (“SPRS”).
• CMMC scoping documentation, including asset inventories, network diagrams, and data flow maps.
• CMMC certificates or self-assessments and associated documentation, including screenshots or printouts of information posted in SPRS or the Enterprise Mission Assurance Support Service (“eMASS”).
• Policies, processes, and procedures for flowing down federal cybersecurity requirements, including any subcontract templates and agreements.

What’s a seller to do?  Create an SSP. Seriously. Then, consider implementing the policies and procedures described above.  Conduct a gap assessment and understand where the company may have vulnerabilities. And create POA&Ms to close those gaps.

Conclusion

DOJ’s 2025 FCA statistics—and its 2026 priorities—confirm cybersecurity is and remains a key FCA enforcement focus area.  For those in the market to buy a contractor, do your homework. It turns out ignorance of cybersecurity practices is not a defense.

-----------

[1] See, e.g., DODIG-2019-105, Audit of Protection of DoD CUI on Contractor-Owned Networks & Systems (July 2019). 

[2] The FCA imposes liability on “any person” who “knowingly presents, or causes to be presented,” a false or fraudulent claim to the federal government.  31 U.S.C. § 3729(a)(1)(A).