Not So Perfect: Dramatic Difference Between Self-Reported and DIBCAC Assessed NIST SP 800-171 Scores Leads To Another Cyber FCA Settlement

The U.S. Department of Justice (DOJ) announced on June 18, 2026, that LOGZONE, Inc., a logistics services provider based in Huntsville, Alabama, has agreed to pay $507,144 to resolve False Claims Act (FCA) allegations arising from its failure to implement required cybersecurity controls on two contracts with the U.S. Navy. This is the latest in a growing line of cyber FCA settlements stemming from contractors’ failure to comply with DFARS 252.204-7012 and implement the controls specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. 

According to the settlement agreement, LOGZONE held two contracts with the Navy, awarded in March 2021 and November 2022, to provide logistical and facility support services for the Naval Oceanographic Command Property Management Program at Stennis Space Center in Mississippi. Both contracts incorporated DFARS clause 252.204-7012, which requires contractors to implement the cybersecurity controls in NIST SP 800-171 for information systems that process, store, or transmit Covered Defense Information (CDI). The contracts also incorporated DFARS clauses 252.204-7019 and 252.204-7020, which required LOGZONE to post a current self-assessment score to the Supplier Performance Risk System (SPRS). Self-assessment scores under the NIST SP 800-171 framework can range from -203 to 110.

In October 2021, LOGZONE submitted to the government a self-assessed score of 110 — a perfect score. But less than four months later, when the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducted its own assessment of LOGZONE’s covered information systems in February 2024, it determined that LOGZONE’s score should have been a -170. According to the settlement agreement, from May 2021 through March 2025, LOGZONE submitted claims for reimbursement under the Navy contracts despite knowing it had not fully implemented required NIST SP 800-171 controls — including controls that, if absent, could lead to significant exploitation of the system or exfiltration of covered defense information. LOGZONE received $682,193.37 under the contracts during that period. Under the terms of the settlement, LOGZONE will pay $507,144, of which $253,572 is restitution, meaning that LOGZONE will pay based on a multiplier of two. As our readers know, when a potential defendant settles FCA allegations, it will pay less than the typical treble damages (using a multiplier of three) that it would face if found liable at trial.

Unlike some earlier cyber FCA settlements, DOJ's press release and settlement agreement make no reference to a relator, indicating that DOJ investigated and brought the action itself. The dramatic difference between the DIBCAC’s assessed score (which was near the bottom of the possible score range) and LOGZONE’s self-reported perfect SPRS score likely triggered DOJ’s scrutiny. Contractors should be aware that, under DOJ’s Civil Cyber-Fraud Initiative, DOJ has taken a special interest in cybersecurity cases and is pursuing them even in the absence of a whistleblower.

Cybersecurity issues continue to be a focus of FCA enforcement, and we at Qui Notes will continue to monitor cyber FCA developments. And our readers can always look to our Cyber FCA Tracker to get a quick snapshot of DOJ’s recoveries under its Civil Cyber-Fraud Initiative.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.