TL;DR: The DOJ recovered more than $6.8 billion under the False Claims Act in fiscal year 2025, while whistleblowers filed a record 1,297 qui tam lawsuits, underscoring how cybersecurity misrepresentations and contract certifications now carry direct financial exposure for defense contractors, according to Secureframe. Compliance gaps are no longer just audit issues; they are billing risk, oversight risk, and accountability risk.
NHIMG editorial — based on content published by Secureframe: $6.8 Billion in False Claims Act Recoveries and the DOJ’s Warning to the Defense Industrial Base
By the numbers:
- Whistleblowers filed 1,297 qui tam lawsuits in fiscal year 2025, also a record.
Questions worth separating out
Q: What breaks when cybersecurity certifications are not backed by current evidence?
A: The certification stops being a defensible statement and becomes a liability vector.
Q: Why do subcontractor security assurances create False Claims Act risk?
A: Because a prime contractor may rely on downstream statements when making its own representations to the government.
Q: How do security teams know whether certification evidence is strong enough?
A: The evidence should be dated, reviewable, and tied to a specific control state at the time the claim was made.
Practitioner guidance
- Tie every cybersecurity certification to named evidence owners Assign a business owner and a technical owner for each certification statement, then require dated evidence showing the control state at sign-off.
- Build subcontractor validation into flowdown governance Do not rely on written assurances alone.
- Retain an audit trail for access and control exceptions Keep time-stamped records for privileged access, remediation decisions, and unresolved exceptions so the organisation can show what was known when a certification was made.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- A contract-by-contract breakdown of how CMMC, DFARS, SPRS, and annual SAM.gov representations shape exposure.
- Practical guidance on how primes should validate subcontractor claims before those claims are reused in government-facing certifications.
- Examples of how compliance evidence should be coordinated across legal, contracts, and security teams before submission.
- A closer look at how whistleblower incentives change internal reporting and remediation expectations.
👉 Read Secureframe’s analysis of False Claims Act enforcement and DIB cyber risk →
False Claims Act enforcement in the DIB: where compliance gaps turn costly?
Explore further
Cybersecurity certification has become a governance control, not a paperwork exercise. The article correctly shows that when a contractor certifies security posture, the statement itself becomes part of the risk surface. For IAM and PAM programmes, that means evidence quality, review cadence, and ownership trails matter as much as the control design. Practitioners should treat every attestation as a governed assertion backed by audit-ready proof.
A question worth separating out:
Q: Who is accountable when a cybersecurity representation turns out to be inaccurate?
A: Accountability usually spans contracts, legal, and security leadership, not just the control owner. The people signing the representation must be able to prove they understood the actual control state, the exceptions, and any subcontractor dependencies before the statement went out.
👉 Read our full editorial: False Claims Act recoveries expose DIB compliance risk in 2025