.avif)
.webp)
Aero Turbine Inc., a defense contractor providing maintenance, repair, and overhaul services, and Gallant Capital Partners, a private equity firm, have agreed to pay $1.75 million to resolve allegations regarding failed cybersecurity requirements. This case highlights a growing enforcement trend: the Department of Justice is holding defense contractors of all sizes — and even their investors — accountable for cybersecurity compliance under the False Claims Act.
Compliance
Compliance
Compliance
Another <100 Employee Company Fined for False SPRS Score
08/2025
5
min read
.png)
01
Company size was <100
Many companies think they are too small to be prosecuted, but this case is one of multiple in 2025 where the company prosecuted was under 100 employees. Small suppliers with niche roles in the defense supply chain are held to the same high standards as industry giants.
02
DoD Went After Investors
In a notable move, the DoD pursued not only the contractor but also its investors, Gallant Capital Partners. This appears to be the first time the Department of Justice has held both a company and its investors directly liable under the Civil Cyber-Fraud Initiative and the FCA for cybersecurity lapses.
03
Disclosure Did Not Eliminate Liability
Although the government acknowledged and commended AeroTurbine and Gallant for their cooperation, both companies were still required to pay $1.75 million. As stated in the settlement agreement,
“ATI submitted two written disclosures to the United States concerning ATI’s non-compliance with cybersecurity requirements relating to the MISTR Contract.”
Despite both ATI and Gallant receiving credit under the UnitedStates Department of Justice’s guidelines in Justice Manual § 4-4.112 for taking disclosure, cooperation, and remediation into account in False ClaimsAct cases, they still faced significant repercussions.
04
Enforcement Was Retroactive
The violations occurred between 2018–2020 but were prosecuted in 2025. The government maintains a historical record of compliance submissions and can review them retroactively. Even if a company later becomes fully compliant, past noncompliance can still trigger penalties. Under the FCA, the statute of limitations extends to ten years.
What Happened
In January 2017, Aero Turbine received a U.S. Air Force contract that required compliance with NIST SP 800-171, federal cybersecurity standards designed to protect Controlled Unclassified Information (CUI). The company shared CUI in a separate enclaved system the company’s CUI was not adequately controlled within the environment; therefore, the data was out of scope.
Between January 2018 and February 2020, the company allegedly failed to implement several of these mandatory controls, leaving its systems vulnerable to potential exploitation and unauthorized data exfiltration. By mid-2019, Aero Turbine and Gallant further compounded the issue by engaging an IT company that outsourced improvements to employees in Egypt.
After these issues came to light, both companies submitted multiple written self-disclosures and cooperated with investigators. While the Department of Justice credited their disclosure, cooperation, and remediation efforts, the matter ultimately concluded with Aero Turbine and Gallant agreeing to a $1.75 million False Claims Act settlement—underscoring the serious consequences of noncompliance in federal contracting.
What to Avoid
01
Don’t Claim Contract Data is Contained When it May Not be
The company maintained a system made for CUI; due to several business, process, and technical reasons the company could not control the flow of data used in the contract and isolate it on the system they claimed. This has increasingly become an issue for companies using virtual or cloud enclaves where all contract data and its derivatives are not being contained to enclave.
02
Don’t Assume Compliance as a Company Official
Executives had attested to compliance without fully understanding the underlying requirements or verifying supporting evidence.Signing attestations without defensible records exposes both the company and individual leaders to significant legal and financial risk. To mitigate this, it is essential to maintain clear, documented, and auditable compliance evidence. Assessors rely on NIST SP 800-171A, which outlines 320 assessment objectives across the 110 controls. For each objective, organizations must provide at least two of three forms of evidence:
- Something to examine
- Something they can test
- Someone they can interview
Without this evidence, compliance claims cannot be substantiated, and weak attestations will not withstand regulatory or auditor scrutiny.
03
When an Issue is Found, Fix It
When issues arise, always disclose them to the government and your prime contractor. If Aero Turbine had attempted to conceal its SPRS noncompliance, the penalties could have been far more severe. Under theSupplier Performance Risk System (SPRS), contractors are required to accurately report their compliance with NIST SP 800-171. An inaccurate SPRS score exposes you to escalating legal risk, since every contract signed under a false score compounds liability. If you do have an inaccurate SPRS Score:
- Update your SPRS score to be accurate
- Notify your customers of updated SPRS score
- Implement controls per NIST SP 800-171A
- Document those controls
- Update your SPRS Score to show improvement
- Notify customers of improved score
If you are concerned about the cybersecurity posture of your business, contact Atomus today to see how we can help you achieve compliance.
.webp){kind=icon}
.avif)
