The Department of Justice announced that Swiss Automation Inc. agreed to pay $421,000 to resolve False Claims Act allegations that the company falsely certified compliance with DFARS clause 252.204-7012 — the Safeguarding Covered Defense Information and Cyber Incident Reporting clause — while maintaining systems that failed to implement the security controls required by NIST Special Publication 800-171. The settlement resolves a government investigation, not a qui tam whistleblower complaint, making it one of the relatively uncommon proactive DOJ cybersecurity FCA actions rather than a whistleblower-initiated case. According to the DOJ announcement, Swiss Automation submitted a System Security Plan that claimed the company had implemented 110 NIST SP 800-171 security requirements when in fact numerous controls had not been implemented and the SSP did not accurately reflect the company's actual security posture. The settlement is notable in the context of the DOJ's Civil Rights Fraud Initiative, which includes cybersecurity compliance as one of the areas where false certification liability applies to companies that misrepresent their security posture to obtain or maintain government contracts.
DFARS 7012 and the NIST 800-171 Compliance Framework
DFARS clause 252.204-7012 requires contractors that process, store, or transmit covered defense information on their information systems to provide adequate security for those systems by implementing the 110 security requirements in NIST SP 800-171. The clause also requires contractors to report cyber incidents to DoD within 72 hours, preserve affected images for 90 days, and flow down the requirements to subcontractors that handle covered defense information. The 110 NIST SP 800-171 controls span 14 security requirement families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Each control family includes both basic and derived security requirements, and the basic requirements directly correspond to controls in NIST SP 800-53, the broader federal information security standard. When a contractor certifies compliance with DFARS 7012 in a contract or bid submission while knowingly failing to implement required controls, that certification is a false claim under the FCA regardless of whether an actual cyber incident occurred.
The DOJ Cybersecurity Enforcement Pipeline
The Swiss Automation settlement is part of a sustained DOJ enforcement program that has generated over a dozen cybersecurity FCA settlements since 2022 when the DOJ announced its Civil Cyber-Fraud Initiative. The Initiative directs the Department's Civil Division to actively pursue FCA cases against contractors that knowingly misrepresent their cybersecurity posture, treating false security certifications as equivalent to other forms of contract fraud. DOJ has made clear that the program is not limited to large prime contractors — settlements with small and medium manufacturers like Swiss Automation demonstrate that the enforcement program reaches throughout the supply chain. The size of the settlement here — $421,000 — is calibrated to the company's size and the contract revenues involved rather than representing the maximum FCA penalty, which would be calculated on a per-false-claim basis at multiples of the settlement figure.
What It Means for Contractors
The Swiss Automation settlement is a clear signal that DOJ's cybersecurity FCA program will pursue small and medium manufacturers, not just large defense primes, and that false System Security Plan submissions are actionable regardless of whether a cyber incident occurred.
- Every contractor subject to DFARS 252.204-7012 should verify that its System Security Plan accurately reflects its actual security implementation — not the aspirational implementation it intends to complete — and document a Plan of Action and Milestones for any gaps, as a documented POA&M is explicitly permitted under the framework and demonstrates good faith.
- The Cybersecurity Maturity Model Certification program, which enters Phase 2 mandatory enforcement in May 2026, will require third-party validation of NIST 800-171 compliance for Level 2 contracts — a structural shift that makes false SSP certifications harder to sustain once formal CMMC audits are required.
- Subcontractors that receive covered defense information flow-downs from prime contractors are equally subject to DFARS 7012 and equally exposed to FCA liability; primes should ensure their subcontract flow-down language is enforceable and that they have a mechanism to verify subcontractor compliance.
- The $421,000 settlement amount should not be interpreted as a ceiling — DOJ has pursued much larger settlements against companies with larger revenue bases and larger numbers of false claims; the damages framework is based on contract value, not company size.
System Security Plan Accuracy as a Legal Compliance Obligation
The Swiss Automation settlement is one of a growing number of DFARS cybersecurity FCA cases in which the government's theory of liability centers on a System Security Plan that described controls the contractor had not actually implemented. The SSP is the foundational document of the NIST 800-171 compliance framework: it describes in detail which of the 110 security requirements apply to the contractor's environment, how each applicable requirement has been implemented, and — for requirements not yet fully implemented — the Plan of Action and Milestones that documents the remediation timeline. When a contractor submits an SSP in connection with a contract award or maintains an SSP that is incorporated by reference into an active contract, that SSP is implicitly certified as accurate through the contractor's representations about compliance with DFARS 252.204-7012. If the SSP claims that specific controls are implemented when they are not — multi-factor authentication, audit logging, incident response procedures, or access control configurations, for example — the gap between the claimed and actual implementation is the factual predicate for the FCA false certification claim. The practical implication for contractors is that the SSP should be treated as a legal document with the same care given to contract certifications and proposal representations: it must be accurate as of the date it is submitted or referenced, and any gaps between documented and actual implementation should be captured in the POA&M with honest timelines. An overly optimistic SSP that claims "implemented" status for controls still in progress is a false statement, regardless of the contractor's intent to complete the implementation.