gwb | Grubman Warner Berry
False Claims Act

Alabama Defense Contractor Pays Over $500K to Resolve False Claims Act Cybersecurity Liability

Share This:
Jul 13, 2026

An Alabama defense contractor has agreed to pay $507,144 to resolve False Claims Act (FCA) liability arising from its alleged failure to comply with cybersecurity requirements in two Department of the Navy contracts.

According to an announcement by the Department of Justice (DOJ), Huntsville-based LOGZONE Inc. submitted claims for payment while knowingly failing to implement required cybersecurity controls governing systems that processed, stored, or transmitted sensitive defense information. The settlement is another reminder that cybersecurity requirements in federal contracts are not merely technical specifications. The DOJ often treats noncompliance as potential fraud under the FCA.

The Navy Contracts and Cybersecurity Requirements

The Navy awarded LOGZONE two contracts to provide logistics, inventory, and facilities support services for the Naval Oceanographic Command Property Management Program at the Stennis Space Center in Mississippi. LOGZONE received approximately $682,000 under the contracts through March 2025.

The contracts incorporated several Defense Federal Acquisition Regulation Supplement provisions. Among other things, those provisions required LOGZONE to:

  • Provide adequate security for information systems containing covered defense information;
  • Implement applicable security controls from National Institute of Standards and Technology Special Publication 800-171; and
  • Submit a current cybersecurity self-assessment score to the Department of Defense’s Supplier Performance Risk System.

In October 2021, LOGZONE submitted a perfect self-assessment score of 110, the highest score available. But when the Defense Contract Management Agency subsequently conducted its own assessment, LOGZONE received a score of negative 170. The possible scores ranged from negative 203 to positive 110.

According to the DOJ, LOGZONE had not fully implemented required NIST controls from May 2021 through March 2025. The missing controls allegedly included protections that, if not implemented, could result in significant exploitation of the company’s systems, the exfiltration of covered defense information, or other effects on system and data security. The DOJ alleged that LOGZONE nevertheless continued submitting claims for reimbursement under the Navy contracts while knowing that it had not complied with the applicable cybersecurity clause.

Cybersecurity Compliance Is an FCA Issue

The DOJ launched its Civil Cyber-Fraud Initiative in 2021 to use the FCA against government contractors and grant recipients that knowingly misrepresent their cybersecurity practices, provide deficient cybersecurity products or services, or violate contractual obligations to monitor and report cybersecurity incidents.

Since then, the DOJ has repeatedly pursued contractors for allegedly failing to implement required controls or accurately report their cybersecurity posture. The government has emphasized that inaccurate security assessments can deprive an agency of the information it needs to evaluate contractor risk, structure a contract, or determine whether the contractor should receive federal funds in the first place.

The LOGZONE settlement is particularly notable because of the difference between the company’s reported score and the government’s subsequent assessment. The case shows the risk of treating self-assessments as routine paperwork or relying on aspirational compliance statements that do not reflect controls actually operating within the organization.

The resolution also illustrates that FCA exposure does not necessarily depend on an actual data breach or confirmed loss of government information. The government’s theory focused on the alleged failure to implement required controls, the inaccurate assessment of those controls, and the continued submission of claims for payment.

Key Takeaways for Government Contractors

Contractors should identify every cybersecurity requirement incorporated into their federal contracts, including requirements contained in standard clauses, task orders, solicitations, and flow-down provisions. Responsibility should not rest solely with information technology personnel. Legal, compliance, contracts, and operational teams should understand which representations are being made to the government and how those representations affect eligibility for payment.

Self-assessment scores and other certifications should be supported by contemporaneous evidence. Contractors should maintain documentation showing how each required control was tested, who performed the assessment, what deficiencies were identified, and what remediation remains outstanding. A third-party review may be appropriate when the company lacks the internal expertise to independently validate its compliance.

Contractors also should establish a process for escalating identified deficiencies. Once employees or management learn that a prior certification may no longer be accurate, continuing to submit claims without investigating the issue can increase FCA risk. Legal counsel should be involved early to evaluate whether corrective action, an updated assessment, or disclosure to the government is appropriate.

Finally, prime contractors should evaluate cybersecurity compliance throughout their supply chains. Many federal cybersecurity provisions must be incorporated into subcontracts, and a prime contractor may face significant risk if it relies on unsupported assurances from vendors that handle government information.

GWB represents government contractors and other businesses in connection with government investigations and False Claims Act litigation. If you need assistance with such a matter, contact us today.

Get in Touch With Us

For more information or to arrange a consultation, please contact us by telephone at (404) 233-4171 or online by submitting the form below. The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship nor create an expectancy of a potential attorney-client relationship. Do not submit information which is confidential or time sensitive, as it may not be treated as such.