Podcast Summary: FCA Whistleblower Strikes Again

Podcast: Sum IT Up: CMMC News Roundup
Host: Summit 7
Episode Date: December 18, 2025

Episode Overview

This episode examines the latest wave of False Claims Act (FCA) actions against Department of Defense (DoD) contractors, focusing on a recent whistleblower case involving Swiss Automation Incorporated. The hosts break down legal pressures (such as FCA and DFARS/NIST compliance) facing defense contractors, highlight trends in cybersecurity settlements, and discuss the growing influence—and risks—posed by internal whistleblowers. The major takeaway: CMMC remains just one part of an increasingly aggressive enforcement landscape for cybersecurity compliance in defense contracting.

Key Discussion Points and Insights

1. Swiss Automation FCA Settlement: Case Breakdown

Swiss Automation Inc. agreed to pay $421,234 for FCA violations after an employee whistleblower reported inadequate cybersecurity protections for DoD part drawings ([00:02]).
- Whistleblower's share: $65,000.
- The company’s failure lay in not implementing NIST SP 800-171 controls as required by contract, a long-standing DoD rule.
Quote:

“This is the fifth cybersecurity settlement under the False Claims act in 2025. Remember, CMMC verifies requirements that are already in your contracts. So don't wait until you see a solicitation with CMMC in it to get compliant. The DOJ certainly isn't.” — Host A ([00:45])

2. DOJ’s Enforcement Approach: Not Just for Large Primes

Enforcement is now targeting not only major primes or universities but small and mid-sized companies across the DIB (Defense Industrial Base).
- Example: Swiss Automation is a 300-person company whose fine exceeded its contract earnings ([01:56]).
- The FCA applies regardless of company size or contract value.
Quote:

"It's one of the ones that people in the dip can look at and it looks more like them... Same scenario, same setup, not a lot of contracts, right?" — Host B ([01:15])

3. Knowledge and Negligence: ‘I Didn’t Know’ Isn’t a Defense

FCA liability hinges on the concept of "knowingly" submitting a false claim, which includes reckless or grossly negligent disregard.
The standard legal advice: Read your contracts; ignorance won’t help you ([04:09]).
Quote:

"If you weren't aware of what you signed up for in the contract, that's your problem. That doesn't actually provide a legal defense." — Host A ([04:09])

4. Recent FCA Cybersecurity Cases: The 2025 Scoreboard

Five major settlements in 2025 (including various company sizes):
- Morse Corp: $4.6M ([05:57])
- Raytheon & Nightwing: $8.4M
- Aeroturbine: $1.75M (notable for including a private equity firm)
- Georgia Tech Research Corp: $875K
- Swiss Automation (Illinois Precision): $421K
No exclusions: Anyone—from individuals to equity firms—can be targeted ([07:30]).

5. The Whistleblower Provision: Incentivizing ‘See Something, Say Something’

FCA’s qui tam provision: Allows private citizens (employees or others) to bring suits on behalf of the government and receive 10–30% of the government’s recovery ([07:51]).
- Recent whistleblowers have received sums ranging from $65K (Swiss Automation) to over $1.5M (Raytheon).
- The hosts highlight this as an oft-overlooked “insider risk.”
Quote:

"Probably the biggest insider risk that you have inside of your company if you're not compliant... are your own employees, because they are highly incentivized to blow the whistle and go after this payday. It's just business." — Host A ([10:25])

6. DFARS Clause 252-204-7012 & CMMC: Foundations for Enforcement

DFARS 252-204-7012: The clause requiring contractors to follow NIST SP 800-171 to safeguard CUI (Controlled Unclassified Information).
- CMMC exists primarily to verify compliance, not to add new obligations ([11:27]).
- False claims can be triggered by submitting invoices without necessary cybersecurity, even in absence of CMMC certification.
Quote:

“If you submit invoices without complying with DFAR 7012, you are making a false claim to the government.” — Host A ([11:40])

7. DOJ’s Stance: Settlements Are Real, FUD Is Not

DOJ remains resolute; statements from Brett Shumate (Asst. Attorney General) and Jason Sarjantsky (DoD IG) reinforce intent to pursue violators ([12:33]).
- The hosts counter industry skepticism: FCA cyber cases are not “FUD”—they’re documented, multiplying, and lucrative for the government.
Quote:

“It’s only FUD if it’s not true... People are paying out hundreds of thousands, millions of dollars in fines.” — Host A ([13:56])

8. Government Recoveries: Big (and Growing) Business

FCA yielded $2.9 billion in settlements in FY2025, a growing line of business with only a small slice from cyber fraud so far ([14:52]).
- The DOJ’s “Cyber Civil Fraud Initiative” (2021) is driving increased focus and numbers.
- More FCA cyber cases are expected in 2026.
Quote:

“Just designed to zoom out... DOJ obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government just in fiscal year 2025.” — Host A ([14:52])

Notable Quotes & Memorable Moments

“If you weren't aware of what you signed up for in the contract, that's your problem. That doesn't actually provide a legal defense.” — Host A ([04:09])
“Probably the biggest insider risk... are your own employees, because they are highly incentivized to blow the whistle and go after this payday. It's just business.” — Host A ([10:25])
“It’s only FUD if it’s not true... People are paying out hundreds of thousands, millions of dollars in fines.” — Host A ([13:56])
“The purpose here is to protect the information so we don't have Korean jets flying around looking like ours.” — Host B ([14:45])

Important Segment Timestamps

Swiss Automation case introduction: [00:02]
Discussion of company size and mirror-risk for DIB: [01:15]–[01:56]
DFARS clause & CMMC connection: [11:27]–[12:10]
Whistleblowers’ role and payouts breakdown: [09:00]–[11:00]
Statistical recap of FCA settlements: [05:57], [14:52]
DOJ’s big-picture enforcement and incentives: [14:52]–[16:45]

Final Takeaways

CMMC compliance is just the beginning: The DOJ expects you to already be meeting requirements embedded in contract clauses, regardless of audits or CMMC.
No one is too small: Even small or niche contractors are at risk.
Employees are watching (and incentivized): Whistleblowers drive many FCA cases, making internal culture and compliance critical.
DOJ is not slowing down: Bigger settlements, accelerating enforcement—expect even more in 2026.

Listeners are left with a pointed warning: If you’re not compliant now, the risk isn’t hypothetical—the FCA is real, whistleblowers are motivated, and the government is cashing in. Prepare accordingly.

Podcast Summary: FCA Whistleblower Strikes Again

Podcast: Sum IT Up: CMMC News Roundup
Host: Summit 7
Episode Date: December 18, 2025

Episode Overview

Key Discussion Points and Insights

1. Swiss Automation FCA Settlement: Case Breakdown

Swiss Automation Inc. agreed to pay $421,234 for FCA violations after an employee whistleblower reported inadequate cybersecurity protections for DoD part drawings ([00:02]).
- Whistleblower's share: $65,000.
- The company’s failure lay in not implementing NIST SP 800-171 controls as required by contract, a long-standing DoD rule.
Quote:

“This is the fifth cybersecurity settlement under the False Claims act in 2025. Remember, CMMC verifies requirements that are already in your contracts. So don't wait until you see a solicitation with CMMC in it to get compliant. The DOJ certainly isn't.” — Host A ([00:45])

2. DOJ’s Enforcement Approach: Not Just for Large Primes

Enforcement is now targeting not only major primes or universities but small and mid-sized companies across the DIB (Defense Industrial Base).
- Example: Swiss Automation is a 300-person company whose fine exceeded its contract earnings ([01:56]).
- The FCA applies regardless of company size or contract value.
Quote:

"It's one of the ones that people in the dip can look at and it looks more like them... Same scenario, same setup, not a lot of contracts, right?" — Host B ([01:15])

3. Knowledge and Negligence: ‘I Didn’t Know’ Isn’t a Defense

FCA liability hinges on the concept of "knowingly" submitting a false claim, which includes reckless or grossly negligent disregard.
The standard legal advice: Read your contracts; ignorance won’t help you ([04:09]).
Quote:

"If you weren't aware of what you signed up for in the contract, that's your problem. That doesn't actually provide a legal defense." — Host A ([04:09])

4. Recent FCA Cybersecurity Cases: The 2025 Scoreboard

Five major settlements in 2025 (including various company sizes):
- Morse Corp: $4.6M ([05:57])
- Raytheon & Nightwing: $8.4M
- Aeroturbine: $1.75M (notable for including a private equity firm)
- Georgia Tech Research Corp: $875K
- Swiss Automation (Illinois Precision): $421K
No exclusions: Anyone—from individuals to equity firms—can be targeted ([07:30]).

5. The Whistleblower Provision: Incentivizing ‘See Something, Say Something’

FCA’s qui tam provision: Allows private citizens (employees or others) to bring suits on behalf of the government and receive 10–30% of the government’s recovery ([07:51]).
- Recent whistleblowers have received sums ranging from $65K (Swiss Automation) to over $1.5M (Raytheon).
- The hosts highlight this as an oft-overlooked “insider risk.”
Quote:

"Probably the biggest insider risk that you have inside of your company if you're not compliant... are your own employees, because they are highly incentivized to blow the whistle and go after this payday. It's just business." — Host A ([10:25])

6. DFARS Clause 252-204-7012 & CMMC: Foundations for Enforcement

DFARS 252-204-7012: The clause requiring contractors to follow NIST SP 800-171 to safeguard CUI (Controlled Unclassified Information).
- CMMC exists primarily to verify compliance, not to add new obligations ([11:27]).
- False claims can be triggered by submitting invoices without necessary cybersecurity, even in absence of CMMC certification.
Quote:

“If you submit invoices without complying with DFAR 7012, you are making a false claim to the government.” — Host A ([11:40])

7. DOJ’s Stance: Settlements Are Real, FUD Is Not

DOJ remains resolute; statements from Brett Shumate (Asst. Attorney General) and Jason Sarjantsky (DoD IG) reinforce intent to pursue violators ([12:33]).
- The hosts counter industry skepticism: FCA cyber cases are not “FUD”—they’re documented, multiplying, and lucrative for the government.
Quote:

“It’s only FUD if it’s not true... People are paying out hundreds of thousands, millions of dollars in fines.” — Host A ([13:56])

8. Government Recoveries: Big (and Growing) Business

FCA yielded $2.9 billion in settlements in FY2025, a growing line of business with only a small slice from cyber fraud so far ([14:52]).
- The DOJ’s “Cyber Civil Fraud Initiative” (2021) is driving increased focus and numbers.
- More FCA cyber cases are expected in 2026.
Quote:

“Just designed to zoom out... DOJ obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government just in fiscal year 2025.” — Host A ([14:52])

Notable Quotes & Memorable Moments

“If you weren't aware of what you signed up for in the contract, that's your problem. That doesn't actually provide a legal defense.” — Host A ([04:09])
“Probably the biggest insider risk... are your own employees, because they are highly incentivized to blow the whistle and go after this payday. It's just business.” — Host A ([10:25])
“It’s only FUD if it’s not true... People are paying out hundreds of thousands, millions of dollars in fines.” — Host A ([13:56])
“The purpose here is to protect the information so we don't have Korean jets flying around looking like ours.” — Host B ([14:45])

Important Segment Timestamps

Swiss Automation case introduction: [00:02]
Discussion of company size and mirror-risk for DIB: [01:15]–[01:56]
DFARS clause & CMMC connection: [11:27]–[12:10]
Whistleblowers’ role and payouts breakdown: [09:00]–[11:00]
Statistical recap of FCA settlements: [05:57], [14:52]
DOJ’s big-picture enforcement and incentives: [14:52]–[16:45]

Final Takeaways

CMMC compliance is just the beginning: The DOJ expects you to already be meeting requirements embedded in contract clauses, regardless of audits or CMMC.
No one is too small: Even small or niche contractors are at risk.
Employees are watching (and incentivized): Whistleblowers drive many FCA cases, making internal culture and compliance critical.
DOJ is not slowing down: Bigger settlements, accelerating enforcement—expect even more in 2026.

wavePod

FCA Whistleblower Strikes Again

Powered by Wave AI

Summary

Podcast Summary: FCA Whistleblower Strikes Again

Episode Overview

Key Discussion Points and Insights

1. Swiss Automation FCA Settlement: Case Breakdown

2. DOJ’s Enforcement Approach: Not Just for Large Primes

3. Knowledge and Negligence: ‘I Didn’t Know’ Isn’t a Defense

4. Recent FCA Cybersecurity Cases: The 2025 Scoreboard

5. The Whistleblower Provision: Incentivizing ‘See Something, Say Something’

6. DFARS Clause 252-204-7012 & CMMC: Foundations for Enforcement

7. DOJ’s Stance: Settlements Are Real, FUD Is Not

8. Government Recoveries: Big (and Growing) Business

Notable Quotes & Memorable Moments

Important Segment Timestamps

Final Takeaways

Summary

Podcast Summary: FCA Whistleblower Strikes Again

Episode Overview

Key Discussion Points and Insights

1. Swiss Automation FCA Settlement: Case Breakdown

2. DOJ’s Enforcement Approach: Not Just for Large Primes

3. Knowledge and Negligence: ‘I Didn’t Know’ Isn’t a Defense

4. Recent FCA Cybersecurity Cases: The 2025 Scoreboard

5. The Whistleblower Provision: Incentivizing ‘See Something, Say Something’

6. DFARS Clause 252-204-7012 & CMMC: Foundations for Enforcement

7. DOJ’s Stance: Settlements Are Real, FUD Is Not

8. Government Recoveries: Big (and Growing) Business

Notable Quotes & Memorable Moments

Important Segment Timestamps

Final Takeaways