In fiscal year 2025, the Department of Justice recovered more than $6.8 billion under the False Claims Act, the highest annual total in the statute’s history. Whistleblowers filed 1,297 qui tam lawsuits, also a record.

At first glance, those numbers may sound like another enforcement headline. For companies operating in the Defense Industrial Base, though, they point to something more specific about how seriously the government is treating procurement and cybersecurity commitments.

While overall False Claims Act enforcement has remained consistently high, recent years have also seen a clear expansion in the types of cases the Department of Justice is pursuing, including a growing focus on cybersecurity-related misrepresentations.

Although healthcare accounted for a significant portion of recoveries, the DOJ also highlighted enforcement involving government contractors, cybersecurity requirements, pandemic programs, and tariff compliance. That broader focus matters because it places defense contractors directly within current enforcement priorities.

As CMMC requirements move from policy guidance into active contract language, and as cybersecurity certifications receive more scrutiny, the link between what contractors certify and what they can actually show is becoming more important.

Below, we’ll break down what the False Claims Act covers, why this record enforcement year matters for primes and subcontractors in the DIB, how increased whistleblower activity changes the risk picture, and where contractors should pay closer attention now.

What the False Claims Act actually does

The False Claims Act is a civil law that allows the government to recover damages when an entity knowingly submits false claims for payment or makes false statements that influence government payment decisions.

What gives the statute real teeth comes down to two things.

First, damages can be tripled. If the government suffers $10 million in losses, liability can reach $30 million before penalties are added. Second, the Act imposes penalties per claim, meaning each invoice or request for payment under a contract may count as a separate violation.

In a defense contracting context, that exposure can scale quickly. A multi-year contract with recurring invoices doesn’t create a single point of risk. Each request for payment may be treated as its own claim. When combined with treble damages, even a narrow gap between what was certified and what was implemented can translate into significant financial exposure.

Consider a contractor performing on a $5 million DoD contract, invoiced monthly over the course of a year. As part of that contract, the organization has certified compliance with applicable cybersecurity requirements.

If that certification is later found to materially overstate what was actually implemented, the risk is not limited to a single misstatement. Each invoice submitted under that contract may be treated as a separate claim. In that scenario, the exposure is tied not just to the original certification, but to the full value of payments received, potentially multiplied under the False Claims Act.

Importantly, “knowingly” doesn’t require proof of intent to defraud. It includes reckless disregard or deliberate ignorance of whether a statement is accurate.

For defense contractors, that distinction matters. Many FCA cases don’t involve blatant fraud. They often come from situations where what was certified doesn’t match reality. Controls may be partially implemented, evidence may be outdated, or configurations may have drifted over time.

Why the Defense Industrial Base should pay close attention

The DOJ specifically referenced enforcement involving government contractors that knowingly violate cybersecurity requirements. That focus aligns with the Department’s Civil Cyber-Fraud Initiative, which targets contractors whose cybersecurity representations don’t match their actual practices.

These cases are not hypothetical. The DOJ has already pursued enforcement actions based on cybersecurity misrepresentations, even in the absence of a formal CMMC certification requirement.

Since launching the Civil Cyber-Fraud Initiative in 2021, the DOJ has increasingly used the False Claims Act to pursue cases involving cybersecurity misrepresentations by government contractors. This signals a broader shift in how compliance obligations, particularly those tied to system security, are being enforced.

In the Defense Industrial Base, cybersecurity obligations are built directly into contract performance. Contractors certify compliance with DFARS 252.204-7012, submit NIST SP 800-171 scores into SPRS, make CMMC Level 1 self-attestations, provide assurances to prime contractors through flowdowns, and reaffirm representations annually in SAM.gov.

Each of these steps involves a formal statement tied to eligibility, award, or payment. They aren’t internal planning notes or future goals. They’re contractual assertions the government may rely on when deciding whether to award work or continue performance.

In many cases, those statements are directly tied to invoices and contract payments. That means if a contractor certifies compliance and continues billing under that contract, those payments can be viewed as claims made on the basis of that certification. If the underlying representation is inaccurate, the issue doesn’t stay confined to a control gap. It can extend to every payment associated with that work.

When a certification overstates what’s actually in place, the issue doesn’t stay technical. It becomes a question of whether the government would have awarded or continued paying under the contract if it had known the true state of the environment.

That doesn’t mean every control gap creates liability. It does mean certifications should be backed by clear documentation and a realistic understanding of what’s implemented.

Subcontractors are not shielded by the prime

It’s common in the supply chain to assume enforcement risk sits mainly with the prime contractor, but that assumption can create blind spots.

Subcontractors regularly certify their cybersecurity posture to primes. They provide assurances about NIST 800-171 implementation and may contribute directly to deliverables or cost submissions under federal contracts. Those statements often flow upward and become part of the prime’s commitments to the government.

If a subcontractor knowingly misrepresents its compliance posture, liability can attach directly to that company. Being beneath a prime doesn’t remove that exposure.

At the same time, primes aren’t automatically protected if they ignore warning signs or rely too heavily on written assurances. Flowing down a clause isn’t the same as confirming performance. In a stricter enforcement environment, documented oversight and follow-up are likely to matter more, not less.

The broader trend suggests both primes and subcontractors should revisit assumptions about where risk lies and how contractual statements are supported.

How the whistleblower surge changes the risk landscape

The record 1,297 qui tam filings in FY2025 underscore how central whistleblowers remain to False Claims Act enforcement.

Under the statute, individuals who bring successful actions may receive between 15 and 30 percent of the recovery. That incentive is significant.

In the DIB context, potential whistleblowers include current and former employees, subcontractors, and sometimes competitors. When internal concerns about cybersecurity or compliance aren’t addressed, they don’t always stay internal. The rise in filings suggests more individuals are willing to escalate those concerns externally.

For contractors, that reality reinforces the need to take internal reports seriously and respond with care and documentation.

Practical implications for defense contractors

This enforcement environment doesn’t call for alarm, it calls for alignment between what’s certified, what’s implemented, and what can actually be shown.

Cybersecurity certifications should reflect what’s actually implemented, not what’s planned or assumed. That often means closer coordination between legal, contracts, and IT teams before statements are submitted to the government.

It also makes sense to revisit subcontractor oversight. Flowdown alone isn’t enough if assurances turn out to be inaccurate. Clear validation steps and documented follow-up can help demonstrate that certifications weren’t made blindly.

Finally, internal compliance concerns shouldn’t be brushed aside as routine issues. Addressing gaps early and keeping a clear record of the response can go a long way toward reducing exposure later. In an environment shaped by active whistleblowers and steady enforcement, how an organization responds may matter just as much as the original issue.

That’s where many organizations struggle. It’s not just implementing controls, it’s maintaining a clear, continuously updated picture of what’s actually in place across systems, users, and environments.

Compliance is now tied to business risk

The False Claims Act dates back to the Civil War era, but what makes fiscal year 2025 stand out isn’t just the dollar amount. It’s the message that procurement and cybersecurity commitments remain a priority for the Department of Justice.

For companies in the Defense Industrial Base, compliance isn’t limited to passing audits or checking contractual boxes. It increasingly ties directly to revenue, contract eligibility, and financial exposure. When compliance statements are inaccurate, the risk isn’t limited to audit findings or corrective actions. It can extend to clawed-back payments, penalties, and long-term damage to an organization’s ability to do business with the federal government.

In a $6.8 billion enforcement year, making sure contractual statements reflect how systems are actually implemented and managed isn’t just good governance. It’s good business.