A

All right, folks, it is December of 2025, almost the end of the year. And wouldn't you know it, another False Claims act whistleblower has been paid out by the defense contractor that they turned into the Department of Justice. Swiss Automation Incorporated has agreed to pay $421,234 to resolve alleged False Claims act violations relating to its failure to provide adequate cyber security for certain drawings of parts that the company machined and supplied to Department of Defense contractors. They got turned in by their own employee, who's going to get $65,000 for their troubles. This is the fifth cybersecurity settlement under the False Claims act in 2025. Remember, CMMC verifies requirements that are already in your contracts. So don't wait until you see a solicitation with CMMC in it to get compliant. The DOJ certainly isn't. And that's what we're going to talk about today.

B

I mean, we were told at the beginning of the year that there was a bunch of these cases that potentially were going to be unsealed and that they were just like, like a jack in the box, like piled in the box. And we're just turning the crank every single day to see what pops out. And if it's an FCA case and if the clown's happy, sad, or it got a 10 discount because it turned itself in. Right. And so like, here we are where it's a little bit different. It's not a university, it's not a major, you know, a prime company or anything like that. It's a smaller company. And again, I said this before when we talked about another FCA case of a small company. It's one of the ones that people in the dip can look at and it looks more like them. It's like, like what they look like in the mirror. Right. Same scenario, same setup, not a lot of contracts, right?

A

Yep. This was, this was a 300 person company. And their $400,000 fine stems from a handful of purchase orders that they worked with. The employee was like, I don't feel comfortable with what's going on here. We have obligations, we're not meeting it. One thing led to another, and now they're writing a check for way more than they got paid on the actual purchase orders, thanks to the nature of the False Claims Act. But let's just talk about the settlement really quick. This comes straight from the DOJ's press release. The Department of Justice says the settlement resolves allegations that Swiss Automation caused the submission of false claims by not providing adequate cybersecurity to safeguard certain drawings of parts that the company machined and supplied to defense contractors. Swiss Automation allegedly knew the that the requirement to provide adequate security by implementing certain cybersecurity controls applied not only to DoD prime contractors, but also to subcontractors and suppliers to those primes. The obligation to implement security controls specified in NIST SP 800171 to protect certain DoD information. DOJ's words here has applied to DoD contracts, subcontracts and, and similar contractual incidents since 2017 and will continue under the CMMC program that DoD recently finalized. Couldn't have said it better myself. We've said this multiple times. CMMC is just the verification for existing requirements that have been in contracts for a long time. Every DOJ settlement regarding cybersecurity under the False Claims act reform, you know, is referring to non compliance with existing requirements, nothing to do with cmmc.

B

Yeah, and so what we tend to see sometimes in these cases, Jacob, is like, they'll be like, oh, we didn't know.

A

Right.

B

Remember we've been through that with Stephanie and everything like that. We didn't know that excuse. But clearly in the settlement it says that they knew and then it's just gross, negligently ignored it. Right. Like, so wouldn't you think that the penalty would be much harsher when that's the case than the self reporting organizations?

A

Yeah, I mean it, I mean, we'll have to, you know, maybe talk to Stephanie again or some folks that are familiar with it. You know, the, the nature of the fine is highly variable, although it's always significant. You know, the, the trick here though is that if you accept the terms of the contract, according to the way the lawyers look at it, you know that you have it in your contracts. If you weren't aware of what you signed up for in the contract, that's your problem. That doesn't actually provide a legal defense. Ask anybody who's enlisted in the military if you didn't know what was in your contract, sorry about it, you don't actually get to fly your own jet. You get to handle a needle gun and knock rust off the side of the ship instead. Read your contracts, everybody. Especially if you're going to enlist in the military.

B

So just, it's fascinating to see the variants. And there's no like, method to the madness. Exactly. When it comes to what these settlements equal up to. It's like quarterback ranking. Right. Like I. Nobody knows exactly what that number is.

A

Yeah, yeah. So let's talk about The False Claims Act. Just really quickly, we've done multiple, multiple episodes, talked to multiple experts on the False Claims Act. This is just a brief primer off of the DOJ's website where they talk about the False Claims Act. Actually, they say the False Claims act is a federal statute Originally enacted in 1863 in response to defense contractor fraud, not during the American Civil War. I mean, this was straight up a thing that's been around trying to get contractors that are committing fraud according to the way the government views it. The False Claims act provides that any person who knowingly. Which is a specific legal term, any person who knowingly submits or causes to submit false claims to the government is liable for three times the government's damages, plus a penalty to that is linked to inflation. Right. So this is a highly variable set of fines according to the value of the work you're doing for the government. So the size of the fines is determined by the value of the contract, not the size of the company. The Department of Justice routinely goes after individuals for fraud under the False Claims Act. So no one is too small to be a target. Like we said earlier, this is the fifth Cyber False Claims act settlement in 2025. And they have gone after everybody from mega corporations to 100 person defense subcontractors. So back in March, Morse Corp. Got a $4.6 million settlement with the False Claims Act. In May, Raytheon and Nightwing had an $8.4 million settlement. Back in July, Aero Turbine, $1.75 million. Recently in September, Georgia Tech Research Corporation settled for $875,000. And now, most recently in December of 2025, Illinois, Illinois, Precision, 421 grand for their settlements under the False Claims Act.

B

And then one of the other things to add to that is that like in some cases, especially I think in Aeroturbine. Right. It went to the PE firm. Right. There were other parties that were involved in this. Like, like you said, they don't just that they go after individuals for fraud. It's not just like a specific.

A

Yeah.

B

Like there's nobody. There's no exclusions. Right. There's nobody safe if you're doing something wrong. I guess is what I'm trying to get at. Yeah.

A

The majority of False Claims act cases go after sort of healthcare fraud, Medicare fraud, nursing homes, things like that. They can go after stuff for. During COVID they had the. I think it was the paycheck protection program.

B

Yeah.

A

So there's going after individuals committing fraud for that. So they go after gigantic corporations, individuals and everything in between. But speaking of individuals, the thing about the False Claims act that should really get your attention, Mr. And Mr. Defense Contractor out there is there's a whistleblower provision in the False Claims Act. So the DOJ says in addition, in addition to allowing the United States to pursue perpetuators of fraud on its own, the False Claims act allows private citizens to file suits on behalf of the government against those who have defrauded the government. Private citizens who successfully, you know, execute these actions may receive a portion of the government's recovery, 10 to 30% of, of the fine. So you're going to take the value of all the contracts that you have submitted a false claim for, they're going to hit you for triple the value of that work and then the whistleblower will get paid out 10 to 30% of those fines. So for example, Morse Corp, $4.6 million settlement. The relator, the whistleblower got 18.5% of that $4.6 million. And Morse Corp. Had to pay almost $200,000 for, for the whistleblowers legal fees. Raytheon and Nightwing, $8.4 million settlement. The whistleblower got paid a million and a half bucks. Arrow Turbine, $1.75 million settlement. They self reported their non compliance and the false claim because their private equity firm, like you said, is actually the one that committed the violation and got them in trouble. They turned themselves in and still had to pay for almost $2 million in fines. Georgia Tech, like we talked about earlier, $875,000 settlement, $201,000 to the whistleblower. And then finally Illinois Precision, $421,000 had to pay their quality manager, not even the IT guy, the quality manager who blew the whistle, 65 grand for the trouble of letting the government know that, that you're not doing the things that you're supposed to be doing inside your contract.

B

What are some things that affect that percentage that you get? Or is it just at the end of the day they're just like, you know what this sounds like. You gave us 18.5%, you know, worth of evidence for this case. Is that what it is?

A

Yeah, I'm not sure. We'd have to, you know, in the new year have some people on who are more familiar, have Stephanie back and have some other folks back as well that can maybe shed some light on why relators sometimes get 10, sometimes you get 30. Either way, you know, the people who are blowing the whistle are not making a million and a half Bucks a year. I mean, you're talking about people who are getting a massive windfall when they otherwise would have just preferred to probably do their job. And we've talked to a lot of these whistleblowers before. Every one of them that blew the whistle and got this massive payday are still employed to this day. So it's not like they have trouble finding work afterwards. Just, you know, so you're aware of. Probably the biggest insider risk that you have inside of your company if you're not compliant with your contractual requirements, are your own employees, because they are highly incentivized to blow the whistle and go after this payday. It's just business. At the end of the day, be aware, right out of the. Out of the five Cyber Security False Claims act settlements this year, four of them had whistleblowers walk away with a ton of money.

B

Yeah, I mean, it's just a case of see something, say something, and the government can't see everything so that they're hoping that somebody says something. And obviously you're going to get rewarded if you say something and it leads to something.

A

Yeah, absolutely. So, if you're not familiar, we did an entire episode outlining the basics of DFARS clause 252-204-7012. The entire CMMC program exists, for the most part to verify that you are complying with with that clause. Specifically because of situations like this. There is no inherent proof to the government that you're complying with it. They're just taking your attestation, they're just taking your word that you are complying with it. So if you handle control duty information on your information system, then you operate what is known as a covered contractor information system pursuant to DFARS clause 252-204-7012. If you submit invoices without complying with DFAR 7012, you are making a false claim to the government. Previous False Claims act cases have held that cybersecurity compliance is material to the contract. Talking Aerojet Rocketdyne here several years ago, therefore, the government can easily come after you for treble damages for triple the value of, of the actual contract that you signed with them. So from this most recent settlement, Assistant Attorney General Brett Shumate of the Department of Justice Civil Division said, we will continue our efforts to hold defense contractors, subcontractors and suppliers accountable when they fail to honor their DoD cybersecurity commitments. And then we will hold contractors, subcontractors and suppliers accountable when they fall short of their cybersecurity obligations to the Department of Defense. That was Special Agent in Charge Jason Sarjantsky. He's the DOD IG from the Defense Criminal Investigative Service. They all say the same thing, right? You get the IGs from the components. You get the people from DOJ. They're like, you have these obligations. You don't do it, we're coming after you.

B

This is just simple transactional, like, adequate. Adequate, right. Like, I pay you for something, I expect you to be doing exactly the specifications. I pay you to lay a floor. You know, I expect you to put the sub lining underneath the floor to make sure it doesn't get like, these are the things that we pay for. So it's just making sure that you live up to the expectations of what you sign for. And it seems to be a concept that is missed by many. Right. Like, it's just, I mean, you know.

A

One of the things that we've heard for years, one of the things we still hear to this day, people hate it. Whenever people tell them that they've had these obligations in their contracts all along, they think it's annoying. They think that it's besides the point. They don't like it. They find it's grading. That's totally fine. The DOJ doesn't care. Right? And a lot of times people go, this is just fear, uncertainty, and doubt. We got half a dozen of these things just this year alone. People are paying out hundreds of thousands, millions of dollars in fines. There's certainly going to be more next year in 2026. So it's only FUD if it's not true. Go talk to Mr. Shumati or Mr. Sainsky about whether or not I didn't know that I had this in my contract is a reasonable defense. They're going to settle with you for millions of dollars. Potentially.

B

It's only FUD if there's not fuel for the fire of the purpose. Right. The purpose here is to protect the information so we don't have Korean jets flying around looking like ours.

A

Hey, I mean, you know, you can extrapolate it to as big of a picture as you want to, but at the end of the day, it's a term in the contract that you signed up for. You submit an invoice and you didn't do what's in the contract, then the government has every, you know, avenue to come after you for making a false claim. They've been doing this since 1863, so you got to take it up with them. But just designed to zoom out on the false claims. Act here at the end, this is big business for the government. The Department of Justice, according to their stats, obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government just in fiscal year 2025. That is an insane amount of money. Like I said, a very tiny fraction so far has been from cyber civil fraud. Back in 2021, the Department of Justice launched their Cyber Civil Fraud initiative. Back then, they said, we will use our civil enforcement tools to pursue companies, those who are government contractors, who federal funds, when they fail to follow required cybersecurity standards, because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately to guard the public trust and public taxpayer dollars. So that was back in 2021. And now every year we've seen more and more of these False Claims act settlements. They take a while to work through the system, ramp up and up and up and up and up. Right? CMMC is its own thing that the DOD is doing false claims, cyber civil fraud. That is DOJ's own thing. They're related, not the same thing. So a lot of people are like, this seems very unlikely. Seems like it doesn't come up very often. I'll just tell you, from my experience over the last two years, every time I post a settlement regarding cyber false claims or they outperform the rest of my posts on LinkedIn by probably a factor of 10, it gets everybody's eyeballs, it gets everybody's attention. So, you know, we're all amongst friends here. You don't have to say that. It's the thing that freaks you out the most. We already know. So, you know, so you're aware these things are real. They are absolutely happening. The DOJ is very interested in your compliance with DFAR 7012. Even if you're not all that interested in pursuing CMMC certification, the more, you.

B

Know, 9, 2.9 billion last year, they're just scratching the surface and they haven't even unsealed all the ones that they know for sure.

A

Right? Yeah.

B

Like what an emerging line of business, I guess, is the way you could put it.

A

Yeah, absolutely. It's, it's, you know, also just as taxpayers, right, they're recovering $2.9 billion in fines for things that people got paid for and they didn't do. So, you know, that's also something to think about. Just, just as we enter into the holiday season here, everybody. But there you go. We're at, we're at five for the year. I predict we're gonna have more than that in 2026. What do you think? Do you think the DOJ is right here? Do you think the False Claims act is a thing that should exist? Do you think we're going to see more? Are you surprised we didn't see more in 2025? Let us know in the comments like and subscribe. We'll see you next week.

B

See you next week, Sam.