DOJ Reaches $507,144 Settlement with Defense Contractor, Signals Increased FCA Scrutiny of Cybersecurity Self-Assessments

On June 18, 2026, DOJ announced a settlement with LOGZONE Inc., a defense contractor, to pay $507,144 to resolve allegations that it violated the False Claims Act through its failure to satisfy cybersecurity requirements in its contracts with the Department of the Navy (“the Navy”). This settlement involves yet another coordinated enforcement effort through the recently created Task Force to Eliminate Fraud, previously reported on here and here. DOJ reached this settlement with assistance from the Department of the Navy, the Department of the Army, and the Defense Contract Management Agency (“DCMA”). This settlement underscores cybersecurity compliance as a focus of FCA enforcement.

According to DOJ, LOGZONE was awarded several contracts by the Navy “to provide logistical and inventory services.” These contracts incorporated Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012, mandating that all Department of Defense contractors implement information systems security requirements outlined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 by December 31, 2017. The contracts also incorporated DFARS clauses 252.204-7019 and 252.204-7020, which require contractors to report summary level scores indicating their self-assessment of compliance with NIST SP 800-171 in the Supplier Performance Risk System (“SPRS”). The lowest summary level score is -203, and the highest is 110. These DFARS clauses also enable the government to review how contractors have implemented NIST SP 800-171 security measures.

DOJ’s theory centered on two key issues. First, in its summary level score self-assessment from October 2021, LOGZONE reported a “perfect self-assessment score of 110 for its implementation of NIST SP 800-171,” according to the Settlement Agreement. DCMA’s February 2024 assessment, however, resulted in a score of -170, near the bottom of the scoring range. Second, DOJ asserted that from May 2021 through March 2025, LOGZONE submitted claims for payment to the Navy knowing that it had not implemented all cybersecurity measures in NIST SP 800-171, in violation of DFARS clause 252.204-7012.

This settlement highlights the lurking FCA risks present in any DCMA audit, especially in light of any past self-assessments or representations—and DOJ’s willingness to step in and take action when past representations do not align with current evaluations from DCMA. In the settlement, DOJ focused on the gap between LOGZONE’s perfect self-assessment and the significantly lower score it received from DCMA three years later. Government contractors should understand and plan for any cybersecurity representations in self-assessment processes or otherwise to be later scrutinized for possible FCA violations.

Cybersecurity compliance is fast becoming an area of increasing FCA enforcement focus. Assistant Attorney General Brett Shumate emphasized this very point, explicitly linking cybersecurity representations to national threats: “The Justice Department will continue to investigate potential violations of these cybersecurity requirements in order to protect this critical information from external threats.” This settlement illustrates that DOJ will do so even in matters, like this one, where the dollar amounts at issue are relatively small. Thus, the message is clear: government contractors should take stock of their cybersecurity compliance requirements and ensure all is in order, especially prior to submitting NIST self-assessments.

A copy of the settlement is available here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.