1. Insights
  2. Blogs
  3. Data Dive

DOJ’s Cyber Review and Aerojet $9 Million Settlement Signal Continuing FCA Enforcement for Cybersecurity Violations by Government Contractors

Jul 22, 2022

Reading Time : 2 min

By: Natasha G. Kohne, Marta A. Thompson

The Review also noted that where contractual cybersecurity standards were not met, the Department’s Civil Cyber-Fraud Initiative (CCFI) would continue to utilize the False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. The CCFI was first announced in October 2021. The Review comes on the heels of a recent FCA settlement with Aerojet Rocketdyne Inc. for alleged fraudulent misrepresentations of compliance with cybersecurity standards.  

On July 8, 2022, the Department announced that Aerojet had agreed to pay $9 million to resolve allegations that it violated the FCA by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts and subcontracts. Aerojet, based in El Segundo, California, provides propulsion and power systems for launch vehicles, missiles and satellites, and other space vehicles to the Department of Defense (DOD), the National Aeronautics and Space Administration (NASA) and other federal agencies. Those contracts are subject to the Federal Acquisition Regulation (FAR) and agency-specific supplements to the FAR, such as the Defense FAR Supplement (DFARS) and NASA FAR Supplement (NASA FARS), which in part require compliance with cybersecurity standards around safeguarding covered defense and sensitive unclassified information, and cyber incident reporting.

The settlement resolves a lawsuit filed by a former Aerojet employee against the company under the qui tam, or “whistleblower,” provisions of the FCA, which authorize a private party to file suit and litigate FCA claims on behalf of the federal government in exchange for a portion of any recovery. The whistleblower, who previously served as the Senior Director of Cyber Security, Compliance & Controls, alleged that Aerojet had entered into multiple federal contracts and subcontracts that required compliance with cybersecurity standards such as DFARS clause 252.704-7012 (which incorporates National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171) and NASA FARS clause 1852.204-76, despite the company’s knowledge that its systems did not meet those requirements. 

The Review and the Aerojet settlement signal an ever-increasing focus by the Department and sponsor agencies on contractor and grantee compliance with cybersecurity regulatory requirements, and may further invite whistleblower actions as well.

The qui tam case is United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings Inc., et al., Case No. 2:15-cv-02245-WBS-AC (E.D. Cal.).

Share This Insight

Categories

Corporate GovernanceCybersecurity, Privacy & Data ProtectionCybersecurity & Information SecurityFederal Privacy PolicyGovernment Contracts
Subscribe to the Data Dive Blog Series >

Previous Entries

Data Dive

October 10, 2025

The Department of Defense (DoD) has introduced the Cybersecurity Risk Management Construct (CSRMC), a new framework that replaces the legacy Risk Management Framework. CSRMC emphasizes automation, continuous monitoring, and real-time visibility, marking a significant shift away from static, checklist-driven processes.

...

Read More

Data Dive

September 11,2025

The Department of Defense (DoD) recently published in the Federal Register its long-awaited final rule (the Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to formally implement the Cybersecurity Maturity Model Certification (CMMC) program. The Rule, effective November 10, 2025, will move CMMC from a policy framework into binding contractual obligations for most defense contractors.

...

Read More

Data Dive

September 3, 2025

AI policy for the health and life sciences sector has continued to take shape. Building on recent activity, on July 23, 2025, the White House released its highly-anticipated AI Action Plan, setting forth the Trump Administration’s recommended policy actions to accelerate AI innovation and build American AI infrastructure. This Plan recommends policies that would promote AI adoption, the creation of “AI-ready” scientific datasets and the establishment of real-world AI evaluation systems by and for the health care and life sciences industries.

...

Read More

Data Dive

July 29, 2025

The U.S. Court of Appeals for the Sixth Circuit has upheld a 2024 Federal Communications Commission (FCC) Order that significantly broadens telecommunications carriers’ breach notification obligations. This decision, issued on August 14, 2025, in Ohio Telecom Association v. FCC, mandates that carriers disclose breaches of any customer personally identifiable information (PII), not just customer proprietary network information (CPNI), and applies to both inadvertent and intentional breaches.2

...

Read More

Recommended Blogs

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.