On December 5, 2025, the Department of Justice (DOJ) reported another settlement under the False Claims Act (FCA) related to cybersecurity. Swiss Automation agreed to pay $421,234 to the Government as a result of failing to provide adequate cybersecurity controls for drawings of parts supplied to Department of Defense (DoD) prime contractors. The qui tam suit under the False Claims Act (FCA) was brought forward by a whistleblower, not an Information Technology (IT) employee, but a Quality Control Manager of the company. The whistleblower received $65,291.
Swiss Automation is a precision machining company in Illinois. They machine alloy and metal parts for commercial and government end-users in many industries, including medical, defense, aerospace and more. The False Claims Act settlement resulted from Swiss Automation not providing adequate cybersecurity to safeguard drawings of parts that the company machined and supplied to DoD prime contractors.
What Requirement was Swiss Automation Noncompliant With?
Swiss Automation failed to comply with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which requires safeguarding covered defense information and is included in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. The settlement indicated that Swiss Automation was allegedly aware of the requirement to implement adequate cybersecurity controls. The DFARS clause is a flowdown in all contracts and subcontracts except for contracts/subcontracts for the acquisition of Commercially Available Off-the-Shelf (COTS) items.
Do Machine Parts Qualify as COTS?
No, machined parts based on drawings, especially from the Government or prime contractor, do not qualify as COTS items and will not be exempt from DFARS 252.204-7012.
FAR 2.101 defines COTS items as commercial products sold in substantial quantities in the commercial marketplace and offered to the Government under a contract or subcontract at any tier without modification. Almost all machined parts for DoD are specific to a prime contractor/Government drawing, and are not offered in the commercial marketplace or sold unmodified. Some contractors claim that machining is a commercial service; however, the COTS definition applies only to products, not services.
Does this mean it doesn’t qualify as a commercial product or service? No, it just means it doesn’t meet the COTS definition. Whether a company proposes machining as a commercial product or service under a government contract or subcontract, compliance with the DFARS 252.204-7012 clause for adequate security is required.
Department of Justice Initiative on Cybersecurity
The Department of Justice continues its 2021 initiative to pursue cybersecurity fraud. It is encouraging whistleblowers to report contractors who are not complying with cybersecurity requirements. Generally, current or former employees (yes, former employees) who file qui tam suits can receive an incentive payment from the Government of 15 to 30 percent of the recovery. To date, many whistleblowers have reported false claims that companies are failing to comply with cybersecurity requirements. Although the Swiss Automation settlement and whistleblower payout may appear to be a relatively small amount, the company incurred legal and other expenses to settle it. (See our articles, Another Cyber Security Noncompliance Under False Claims Act and Another False Claim for not Accurately Reporting NIST Score in the SPRS).
Takeaways
The Government doesn’t care whether your company is large or small. When the DFARS 252.204-7012 clause is in your contract or subcontract, you need to comply with the requirements. Don’t think you can wait until you receive a solicitation with DFARS 252.242-7012 before you start implementing cybersecurity controls. If you plan on selling products other than COTS or commercial services with covered defense information to the Government or prime contractors, you need to ensure you understand the commitment you are making to comply with cybersecurity requirements before you sign the contract/subcontract.
Be proactive. If an employee notifies management of a potential noncompliance with the cyber requirements in a contract/subcontract or an inadequate cybersecurity assessment, investigate and correct it to reduce the company's exposure to any civil liability. You don’t want to be surprised by a qui tam suit from one of your current or former employees.
It is important to read your solicitation provisions and your contract or subcontract and understand the clauses. Often, prime contractors include links to their websites for terms and conditions and FAR/DFARS flowdowns. The link generally contains a list of all FAR/DFARS clauses and is not tailored to a specific contract type or dollar threshold. Unless you sell a COTS product, almost all government contracts and subcontracts will have to meet one of the Cybersecurity Maturity Model Certification (CMMC) levels prior to award.
Taking Action Before a Whistleblower Does
Cybersecurity requirements in government contracts are not optional, and recent enforcement trends show that the risks of noncompliance extend far beyond technical issues. As whistleblower activity continues to rise, government contractors should take internal concerns seriously and act quickly to review contract clauses, assess existing controls, and resolve gaps. Redstone GCI assists government contractors in understanding federal cybersecurity obligations and supports efforts to meet DFARS 252.204-7012 and NIST SP 800-171 requirements. We collaborate with trusted partners to help clients implement practical, effective cybersecurity measures that align with contractual expectations and reduce exposure to potential False Claims Act (FCA) liability.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting