DOJ closed 2025 with significant False Claims Act actions against DoD contractors over allegedly deficient cybersecurity practices. Translation for 2026: DFARS 252.204-7012 compliance for firms processing Controlled Unclassified Information is an enforcement priority. Coverage from Government Contracts Law, Dentons, and Alston & Bird.
What DFARS 7012 actually requires
- Implementation of NIST SP 800-171 security controls
- Cyber incident reporting within 72 hours
- Subcontractor flowdown of the same requirements
- Adequate security for CUI throughout the contractor's information system
The False Claims Act exposure
Contractors who attest to NIST SP 800-171 compliance but don't actually meet the controls face FCA risk. Treble damages, civil penalties, and qui tam (whistleblower) actions all apply. DOJ has settled multiple cases in 2025-26 with awards in the millions.
The harmonization context
Section 866 of the FY26 NDAA directs cybersecurity harmonization by June 1, 2026 — but that's prospective. Until DFARS clauses are actually consolidated, contractors face the existing 7012, plus CMMC self-assessment requirements, plus contract-specific cyber clauses. See our Section 866 coverage.
Recent specific cyber contract
Adjacent context: BreakPoint Labs LLC was awarded a $50M firm-fixed-price contract to provide cybersecurity SME services for the DoD High Performance Computing Modernization Program. The HPCMP cyber-services market remains active for specialty firms.
What to do this week
- Confirm your NIST SP 800-171 control implementation matches your DFARS 7012 attestation — the gap is the FCA exposure
- Document your cyber incident reporting workflow — 72-hour windows are not negotiable
- Audit subcontractor flowdown — primes are increasingly liable for sub-tier non-compliance
- Watch upcoming DOJ FCA settlements for fact-pattern lessons