A recent Department of Justice (“DOJ”) settlement highlights the importance of assessing cybersecurity compliance for government contractors during mergers and acquisitions (“M&A”). In April 2025, DOJ announced an $8.4 million settlement with a defense contractor resolving alleged cybersecurity noncompliance by a company it acquired. Notably, under the settlement, the acquiring company was liable for cybersecurity noncompliance that occurred prior to the acquisition.
In the M&A context, successor liability arises when an acquiring company becomes responsible for liabilities, obligations, or wrongful acts committed by the company to be acquired prior to the acquisition. Fundamentally, successor liability ensures that a corporate acquisition does not allow the acquired entity to escape accountability. In the settlement, DOJ explicitly named the acquiring company as the “successor in liability” for the acquired company’s alleged violations, even though the conduct at issue occurred years before the acquisition. This underscores the importance for acquirers to add cybersecurity compliance to the issues vetted during due diligence.
The settlement also highlights DOJ’s continued scrutiny of contractors’ compliance with cybersecurity requirements mandated by DFARS and the National Institute of Standards and Technology’s (“NIST”) NIST SP 800-171. The settlement agreement detailed that the company being bought used an internal network to perform work on government contracts that required compliance with these cybersecurity standards. However, according to DOJ, the acquired company failed to implement all of the required security controls, did not develop a system security plan for its network, and ultimately submitted false claims for payment under the False Claims Act (“FCA”) by implying certification of cybersecurity compliance—which DOJ, through this and other similar FCA settlements, has made clear is material to the government’s decision to pay. Contractors can no longer consider implementation of cybersecurity controls as aspirational. Federal authorities have emphasized that accurate representations of compliance are essential when performing contracts involving covered defense information. False or misleading representations about compliance with cybersecurity standards, whether intentional or the result of internal oversights, can be the source of liability under the FCA, as demonstrated by this and other recent enforcement actions.
This settlement demonstrates the importance of cybersecurity compliance during M&A due diligence. Beyond reviewing a target’s financial statements and operational status, buyers must obtain a thorough understanding of the seller’s cybersecurity posture, associated risk factors, and any deficiencies in the target’s existing compliance mechanisms. This may involve evaluating system security plans, incident response procedures, and any certifications or contractual commitments to ensure adherence to NIST protocols. Buyers who fail to conduct comprehensive technical and legal assessments may inherit not only potential data breaches but also significant legal liabilities, including multimillion-dollar settlements and the costs of responding to regulatory investigations. Sellers, for their part, should proactively document compliance steps, be transparent about the status of their cybersecurity programs, and make relevant stakeholders available for buyer inquiries. Both parties should pay close attention to transaction agreement terms, including representations, warranties, and indemnities related to cybersecurity compliance.
In sum, this settlement serves as a reminder that government contractors should rigorously integrate cybersecurity compliance into their broader corporate governance and due diligence practices. Timely post-closing remediation is also critical—buyers should promptly address any identified deficiencies and ensure that all required controls are implemented as soon as practicable. As the regulatory landscape continues to evolve, and with the phased rollout of the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”), both buyers and sellers in the government contracting space must prioritize robust cybersecurity programs and transparent, well-documented compliance efforts to mitigate the risk of successor liability and enforcement actions.