NIST SP 800-171 is a federal cybersecurity framework designed to protect Controlled Unclassified Information (CUI) on non-federal systems and networks. Any contractor working with the Department of Defense (DoD) must comply with these standards under the Defense Federal Acquisition Regulation Supplement (DFARS).
These requirements include safeguards such as:
Controlled system access
Secure authentication
Network monitoring and incident reporting
Proper media sanitation
Compliance with configuration baselines and software license controls
When a contractor falsely certifies compliance with NIST 800-171 while seeking or maintaining federal contracts, it can constitute a violation of the False Claims Act (31 U.S.C. § 3729). If the government is paying for cybersecurity compliance that doesn’t exist, that’s fraud—plain and simple. If you need a cybersecurity whistleblower attorney, give us a call.
In a sealed whistleblower lawsuit filed in October 2024, a former engineering director at Raytheon alleged widespread, deliberate noncompliance with NIST 800-171 in the company’s DarkNet system. Despite being warned by internal experts, Raytheon:
Continued using pirated software on critical systems
Allowed full administrator privileges to all users (violating least privilege principles)
Falsely certified compliance with DFARS and NIST standards to the DoD
Failed to report security breaches and insider threats
Retaliated against the whistleblower who tried to correct the fraud
Raytheon’s actions exposed sensitive U.S. defense information and led to billions in improperly obtained federal contract payments. This type of fraudulent misrepresentation directly supports a False Claims Act case.
In a similar whistleblower suit, a cybersecurity officer at the University of Pennsylvania alleged that the school misrepresented its DFARS/NIST compliance in multiple contracts related to DoD-funded research. The university’s internal systems, according to the complaint, were woefully unprotected, and the leadership actively ignored reports of vulnerabilities.
Once again, false claims of NIST 800-171 compliance were used to maintain lucrative contracts, which could give rise to FCA penalties and potential relator awards.
Anyone with original, non-public information about a contractor falsely certifying NIST 800-171 or DFARS compliance can bring a claim under the False Claims Act. This includes:
Engineers and IT professionals
Cybersecurity officers and compliance managers
Government contract specialists
Former employees or insiders with access to audit trails or submission records
Even if you were part of the compliance process and were retaliated against, you still have rights under 31 U.S.C. § 3730(h), which protects whistleblowers from adverse employment actions.
A strong NIST 800-171 whistleblower case includes:
Documentation of false certifications or SPRS (Supplier Performance Risk System) entries
Emails, internal audits, or communications showing leadership knew about noncompliance
Evidence of cover-ups, retaliation, or manipulation of security documentation
Contracts or Statements of Work referencing cybersecurity obligations
Proof that the government paid or awarded a contract based on these false claims
In the Raytheon case, the relator captured internal emails showing executives explicitly instructing employees to lie about DFARS compliance instead of seeking a waiver—despite knowing that DarkNet failed to meet NIST standards.
If the Department of Justice (DOJ) intervenes and recovers money in an FCA case, whistleblowers are entitled to 15–25% of the recovery. In non-intervened cases, that share increases to up to 30%. With DoD contracts often worth hundreds of millions (as in the Raytheon example), whistleblower awards can be substantial.
Both Decker and the Raytheon whistleblower were subjected to retaliation—including forced resignation, demotions, and suppression of job duties. Under the FCA, whistleblowers may also recover damages for:
Lost wages
Attorney’s fees
Emotional distress
Reinstatement
A skilled NIST 800-171 False Claims Act attorney can pursue these damages alongside your FCA complaint.
If you have information about a government contractor falsely claiming compliance with NIST cybersecurity regulations, don’t wait. A confidential consultation with a qualified whistleblower attorney can help you:
Determine if you have a viable claim
Preserve your rights and protect against retaliation
Submit a sealed complaint and disclosure statement to the DOJ
Secure your eligibility for a relator reward
Only the first whistleblower to file under the FCA is eligible for the relator reward for a particular fraud scheme. The law contains a “first-to-file” rule, so don’t delay.
We serve clients throughout the Delaware Valley including, but not limited to, those in the following localities: Pennsylvania including Berks County, Bucks County, Chester County, Delaware County, Montgomery County, and Philadelphia.
Contact Us | The Whistleblower Advocates
Privacy Policy | Terms of Service
Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.
Copyright © The Whistleblower Advocates. All Rights Reserved
