Non‑US defence companies and technology startups are targeting the US Department of Defense as a growth market, aided by exceptions that allow allied‑country sourcing and substantial purchasing from abroad. The opportunity comes with material legal risk. Failure to follow the hyper‑detailed and sometimes ambiguous requirements embedded in federal contracts and subcontracts can escalate a routine dispute into liability under the False Claims Act, which carries treble damages and civil penalties. The article cautions that not only contractors, but also investors, can face direct exposure, underscoring the need for early education on obligations and robust compliance before problems arise.
The False Claims Act allows the Department of Justice and whistleblowers, known as relators, to pursue claims for materially false or misleading payment requests to the government or its funding recipients. While styled as an anti‑fraud statute, it is frequently used to litigate issues that would otherwise be breach‑of‑contract disputes. In 2021, the Department of Justice launched the Civil Cyber‑Fraud Initiative to apply the False Claims Act to cybersecurity noncompliance by contractors and grantees, including deficient controls, misrepresentations, and failure to report incidents. In parallel, the Department of Defense Office of Inspector General issued a January 2025 audit criticizing internal controls over Cybersecurity Maturity Model Certification assessors, signaling heightened scrutiny of certifications that underpin contractors’ eligibility.
Enforcement momentum has accelerated through a series of multimillion dollar settlements in 2025 focused on cybersecurity obligations. Health Net Federal Services and its parent were alleged to have missed vulnerability scans and ignored audit findings while certifying compliance for TRICARE services. MORSECORP, a developer of Artificial Intelligence tools for the Department of Defense, resolved allegations tied to noncompliant email hosting, absent written security plans, and delayed updates to risk scores. Raytheon Companies and Nightwing Group settled over protections on an internal development system used for covered defence information. Aero Turbine and its former private equity investor, Gallant Capital Partners, paid to resolve issues tied to vendor access to defence information, with cooperation credit reducing the multiple of alleged damages. Illumina settled allegations that it falsely certified compliance with cybersecurity standards in software for genomic sequencing devices. In several matters there was no alleged breach, only technical and procedural shortcomings, and whistleblowers included senior security and engineering personnel.
These developments show the Department of Justice is prepared to use the False Claims Act to enforce cybersecurity clauses, even absent an actual incident, and that reliance on third‑party cloud or development systems is risky without rigorous oversight. With the Department of Defense inspector general questioning aspects of the certification ecosystem, traditional contractors and defence‑tech startups should ensure legal, compliance, and technical teams are aligned on federal requirements, vendor management, documentation, and reporting. Early internal controls, accurate representations, and proactive remediation can reduce exposure if litigation or a whistleblower claim arises.
