The Department of Justice recovered more than $6.8 billion in False Claims Act settlements and judgments in fiscal year 2025 — a record — alongside the highest-ever number of qui tam (whistleblower) lawsuits filed: 1,297. Cybersecurity-related FCA settlements alone totaled $52 million across nine matters. Coverage from Mayer Brown and Akin.
What DOJ said about cyber
In January 2026, Deputy Assistant Attorney General Brenna Jenny called the cyber-FCA trajectory "significant upward." She emphasized that cyber-fraud cases are "not about data breaches" but instead "premised on misrepresentations" — i.e., the FCA hook is the contractor's certification, not the underlying compromise.
Recent cyber settlement landmarks
- Raytheon/Nightwing — $8.4M for DFARS 7012 / FAR 52.204-21 controls failures
- TRICARE military health benefits contractor — $11.2M for false certifications under TRICARE contracts
- December 2025: precision machining supplier resolved allegations of inadequate DFARS 7012 cybersecurity for technical drawings (qui tam by former QC manager)
What to do
- Treat your cybersecurity certifications as the first FCA exposure surface — review who signs and what they're attesting to
- Build internal qui tam pre-emption: when a complaint is raised, document and remediate before it migrates to DOJ
- For grant recipients (universities, healthcare, research orgs): cyber-FCA enforcement extends past traditional defense primes