NIST SP Standards Strike Again: DOJ Announces Another Cyber FCA Settlement

The U.S. Department of Justice (DOJ) announced its most recent settlement under the Civil Cyber-Fraud Initiative on December 5, 2025 for about $420,000. This is yet another settlement stemming from a defense contractor’s alleged failure to adequately implement cybersecurity controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

More specifically, the Settlement Agreement alleges that Swiss Automation, a precision machining manufacturer, failed to provide adequate cybersecurity for technical drawings of certain parts it supplied to government contractor customers under nine purchase orders covered by Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. DFARS 252.204-7012 requires that a contractor’s information system that contains controlled unclassified information implement the cybersecurity controls in NIST SP 800-171. The Settlement Agreement does not reference any particular cybersecurity controls that allegedly were not implemented and instead summarily alleges that Swiss Automation’s knowing failure to provide adequate cybersecurity controls caused the submission of false claims for payment.

A former quality-control manager filed the case and will receive $65,000 or approximately 15% of the settlement amount as his relator’s share.

As Qui Notes readers know, DOJ has settled several cases this year related to implementation of the NIST SP controls. Indeed, we have covered earlier settlements related to NIST SP controls across industries — including defense, private equity, and education. We will continue to monitor the latest cybersecurity settlements, including those related to failures to adequately implement the NIST standards. You can also keep track of all cyber-related FCA resolutions using Qui Notes’ Cyber FCA Tracker.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.