Defense contractor settles cybersecurity False Claims Act allegations
LOGZONE, an Alabama-based logistics services provider, has agreed to pay more than $507,000 to resolve allegations that it misrepresented its compliance with Pentagon cybersecurity requirements while doing work with the Navy.
According to a settlement agreement published Thursday, the Justice Department alleged that LOGZONE failed to fully implement required security controls under NIST Special Publication 800-171 despite its contract mandating compliance. While not an explicit violation of the Cybersecurity Maturity Model Certification (CMMC) program, the suit highlights the Defense Department’s increasing scrutiny of the defense industry not implementing required cybersecurity measures for sensitive information.
The settlement stems from two contracts awarded by the Navy between 2021 and 2022 for logistics, inventory management and facility support services for the Naval Oceanographic Command located at Stennis Space Center in Mississippi. According to the settlement agreement, LOGZONE received more than $682,000 under the contracts through March 2025.
NIST SP 800-171 establishes cybersecurity requirements for defense contractors that handle controlled unclassified information (CUI) on non-federal systems. The framework includes 110 security controls covering areas such as access management, incident response, system monitoring, and risk management against which vendors must self-assess compliance.
The Navy’s contracts with LOGZONE incorporated clauses that required the company to implement NIST SP 800-171 controls and to report cybersecurity assessment scores through the Defense Department’s Supplier Performance Risk System (SPRS). LOGZONE submitted a perfect self-assessment score of 110 in October 2021, according to the settlement.
However, a review conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in 2024 found that the company had actually scored a negative 170 — near the bottom of the program’s scoring range.
The DOJ contended that LOGZONE knowingly submitted claims for payment between 2021 and 2025 despite failing to fully comply with required cybersecurity controls. The company agreed to pay $507,144 — including $253,572 in restitution — to resolve potential civil liability under the False Claims Act and other statues, although the settlement does not include admission of liability.
For years, defense contractors have been required to implement those controls under Defense Federal Acquisition Regulation Supplement (DFARS) clauses tied to the protection of sensitive government information.
Because companies have been historically only required to self-assess their compliance, the Defense Department established the CMMC program in 2019 as a way to introduce a verification system and mandate standardized security practices across the industrial base.
After a lengthy back-and-forth between the Pentagon and defense industry, the department officially began implementing CMMC in November. The DOD is taking a phased approach to enforcing the new requirements, and plans to introduce additional mandates on an annual basis.
While the case with LOGZONE is not a direct violation of CMMC, the requirements that the company failed to implement are the foundation of CMMC Level 2. Beginning in November 2026, vendors working with CUI will have to prove their cybersecurity compliance via a certified third-party assessor.
Cybersecurity attorneys in the past have pointed to False Claims Act settlements involving NIST compliance as a likely preview of how the Pentagon may pursue companies that inaccurately report their cybersecurity posture. Such settlements could also be used by other members of the industrial base as the basis for future bid protests.
