As 2025 drew to a close, the United States Department of Justice (DOJ) announced significant developments in cases relating to the allegedly deficient cybersecurity practices of two Department of Defense (DoD) contractors. These two cases suggest that the federal government will continue to make DFARS 7012 compliance for companies that process Controlled Unclassified Information (CUI) an enforcement priority in 2026. They also suggest that the DOJ may be broadening its enforcement efforts.
On December 5, 2025, the DOJ announced that it had reached a settlement with Swiss Automation, Inc. (“Swiss Automation”), an Illinois-based precision machining company. The DOJ alleged that Swiss Automation knowingly failed to provide “adequate cybersecurity, as required by DFARS 252.204-7012, for the technical drawings of certain parts that [Swiss Automation] supplied to contractors….” Swiss Automation agreed to a settlement of $421,234, of which $65,291 was paid to the Relator, Swiss Automation’s former Quality Control Manager and Manager of Secondary Operations. Notably, the settlement reflects a stark departure from the allegations in the original complaint, which did not mention DFARS 7012 and instead focused on alleged violations of the International Traffic in Arms Regulations (ITAR) relating to the employment of personnel outside of the United States.
On December 10, 2025, the DOJ announced that it had unsealed a criminal indictment against a former senior manager at a defense contractor that provided cloud computing services to, among other agencies, the Department of the Army. According to the indictment, the manager “engaged in a scheme to defraud the United States and its departments and agencies by making false and misleading representations about the Platform’s security and risk posture to help [the contractor] obtain and maintain lucrative federal contracts.” The manager is alleged to have made materially false and misleading statements to “fraudulently obtain and maintain a FedRAMP High P-ATO” and “fraudulently induce the Army to award task orders” valued at over $29 million to the manager’s employer. If convicted, the manager faces maximum penalties of 20 years in prison for wire fraud, 10 years in prison for major government fraud, and 5 years in prison for each count of obstruction of a federal audit.
These two cases represent significant variance from recent cyber fraud cases involving noncompliance with DFARS 7012. Recent cyber fraud investigations by the DOJ typically involved civil fraud by defense contractors with allegedly systematic cybersecurity deficiencies that could potentially compromise the integrity of DoD CUI. Settlements with companies like Raytheon or Illumina contained allegations of deficient cybersecurity practices spanning the course of years. But the Swiss Automation settlement may signal the minimum level of alleged misconduct that can still trigger enforcement of potential cyber FCA enforcement cases relating to the protection of CUI—one where cybersecurity-specific violations were not part of the relator’s complaint and the allegedly fraudulent conduct spanned less than a year.
Conversely, the December 10, 2025 criminal case appears to represent the most aggressive example to date of cyber‑related fraud enforcement related to the processing of CUI. Unlike the 2025 MORSECORP settlement—which similarly concerned a third‑party service provider’s alleged failure to meet the FedRAMP Moderate standard—the government ultimately chose to criminally indict an individual employee. The monetary value, over $29 million, of the manager’s alleged fraud is quite a bit higher than some of the other cyber fraud cases that we have written about previously. But it is also not the first one in which the value of the alleged fraud exceeds the minimum threshold of $1 million needed to bring a charge for major fraud against the United States under 18 U.S.C. § 1031.
As companies that process CUI assess the enforcement landscape in 2026, defense contractors should look at these two cases as indicators of the type of regulatory activity that they can expect from the DOJ. A systemically deficient cybersecurity program is no longer the minimum level of alleged misconduct for which companies can expect to see enforcement action from the government. Likewise, the penalties for fraudulently certifying cybersecurity compliance may now even result in criminal penalties in certain circumstances. Alston’s Privacy, Cyber, and Data Strategy, Government Investigations, and Government Contracting teams will continue to actively monitor cases in this space for further developments.
