May 5, 2020

The Department of Defense’s Role in Qui Tam Cases: Defenders of the Country and the Taxpayer Dollar

The False Claims Act encourages citizens to report fraudulent activity involving government funds. According to the Department of Justice, fraud claims involving the Department of Defense accounted for $252.1 million of recovered funds in 2019 –– double the amount of recovered funds from 2018.[1] Fraud on the Department of Defense is persistent and includes product substitution, fraudulent inducement of contracts, healthcare fraud, and false certification. The prevalence of fraud is incessant, and the Department of Defense’s role in preventing fraud on the government, investigating relators’ fraud allegations, and enforcing regulations with defense contractors is imperative.

The Department of Defense has a large brigade of fraud detection and investigation units. These units include the Department of Defense Office of Inspector General, Defense Criminal Investigative Service, U.S. Army Criminal Investigation Command, Naval Criminal Investigative Service, Air Force Office of Special Investigations, Undersecretary of Defense for Acquisition and Sustainment, Defense Industrial Base Cybersecurity Assessment Center, Defense Pricing and Contracting, and the Defense Contract Management Agency. These units are responsible for detecting fraud and are tasked with responding to a relator’s allegation of false claims in their respective divisions.

The most notable investigation conducted by investigatory units of the Department of Defense was Operation Illwind in 1988. Headed by the Naval Criminal Investigation Service (NCIS), the Defense Criminal Investigation Service (DCIS), and the Air Force Office of Special Investigations, Operation Illwind uncovered rampant defense procurement fraud throughout the defense contracting industry. The investigation revealed that many defense contractors were awarded contracts based on illegally obtained insider information. The investigation took nearly three years, resulted in more than 60 prosecutions of defense contractors, consultants, and government employees, and recovered $622 million.

Although procurement fraud is still prevalent, modern times reveal the Department of Defense’s focus has shifted to ensuringhe cybersecurity strength of the companies in its supply-chain.  The Department of Defense has a vast regulatory scheme detailing certain cybersecurity standards a contractor must meet to be awarded a defense contract.[2] This regulatory scheme (set out in the Federal Acquisition Regulations) encourages self-policing  and self-certification, but it has failed to deter companies from falsely certifying compliance with cybersecurity requirements.[3]  In response to this issue, the Department of Defense has recently implemented the Cybersecurity Maturity Model Certification, or CMMC, requiring defense contractors to obtain a third-party certification of their cybersecurity sophistication.[4]

The CMMC is designed to facilitate disclosure of a defense contractor’s cybersecurity risk, in turn mitigating the risks of false certification. The CMMC consists of five levels of certification that demonstrate a company’s cybersecurity proficiency. Each level completed assures the Department of Defense that a defense contractor is able to protect certain types of sensitive information. Additionally, the CMMC requires an independent, accredited assessor to attest to the contractor’s level of certification. The CMMC will be implemented into the procurement process and required for any contractor wishing to do business with the Department of Defense.

The Department of Defense has proven its willingness and ability to adapt to the evolving nature of false claims. From investigation to enforcement and prevention, the Department of Defense plays a significant role in obtaining recoveries and judgments against violators of the False Claims Act.

Contributed by: Berg & Androphy
Xperanza Uviedo (University of Houston Law Center ’21), Law Clerk

[1] See Press Release, Dep’t of Justice, Justice Department Recovers over $3 Billion from False Claims Act Cases in Fiscal Year 2019 (Jan. 11, 2020), available at See also Dep’t of Justice, Fraud Statistics – Overview, October 1, 1986 – September 30, 2019, available at

[2] See FAR 52.204-21 (2020); FAR 252.204-7008 (2020); FAR 252.204-7012 (2020).

[3] See United States ex rel. Markus v. Aerojet Rocketdyne Holdings, 381 F. Supp.3d 1240, 1249 (E.D. Cal. 2019) (surviving motion to dismiss on relator’s claims that Aerojet violated the False Claims Act by certifying their cybersecurity system was complaint with government requirements when it was not).

[4] U.S. Dep’t of Def., Cybersecurity Maturity Model Certification: Version 1.0 (2020), available at