TRANSMISSION ACTIVE

// FREQ: GOVCON EPISODE: 007 STATUS: SECURE

007 Are You Putting Revenue Before National Security?

For years, GovCon lived on the honor system—ticking compliance boxes to chase revenue while promising to fix security gaps later. That era is over. Today, the DOJ is treating inadequate cybersecurity as a federal crime under the False Claims Act. In this transmission, we analyze why neglecting controls like NIST 800-171 is now considered fraud, the rising financial incentives for insiders to become whistleblowers, and what GovCon fiduciaries must do to align profitability with national security before they become the next example.

JUMP POINTS //

00:45

The Death of the Honor System

Analyzing the historic shift from unverified self-attestation to mandatory DOD/DOJ verification.

03:20

Activating the False Claims Act (FCA)

How simple technical failures (skipping patches or ignoring access controls) become federal fraud investigations.

04:40

The Whistleblower’s Math

Breaking down the financials: Why insiders are incentivized with 15-30% of massive federal settlements.

07:57

Accountability 2.0: Personal Executive Liability

Why “the security team said we were good” is no longer an acceptable legal defense for the C-Suite or Board.

09:31

Marching Orders: Third-Party Truth & CUI Enclaves

Immediate tactical steps to secure your cleared facility and your balance sheet tomorrow.

// INCOMING SITREP

While this briefing covers the strategic shift, our latest SITREP dossier provides a tactical, deep-dive analysis. Read 'Revenue vs. Resilience: The Government’s New Cyber Mandate Just Became Personal' to see exactly how checking the compliance box leaves your doors wide open to DoJ targeters.

ACCESS THE BRIEF »

TRANSMISSION LOG //

In the high-stakes theater of government contracting, an uncomfortable but necessary strategic question arises: Are you placing short-term revenue realization before long-term national security?

For decades, the GovCon industry operated on a flawed defensive model based on the “honor system.” Contractors chasing revenue on DOD contracts would check compliance boxes, promise to remediate security gaps through endless Plans of Action and Milestones (POA&Ms), and secure the award. Fiduciaries viewed cybersecurity scores merely as “revenue gates”—criteria needed to unlock profit.

That conventional thinking creates a culture of negligence that jeopardizes Controlled Unclassified Information (CUI). The new reality dictates that when you misrepresent compliance to win a bid, you are cheating the system and exposing sensitive intel to our adversaries. In this transmission, we explore why the Department of Justice is finally treating poor cybersecurity as a federal crime, leveraging the False Claims Act (FCA) to pursue contractors who prioritized speed over operational integrity.

The Death of “Trust,” The Rise of “Verify”

The DOD and DOJ realize they are no longer just fighting on land, sea, and air—they are fighting in cyberspace. If your organization is a government contractor, you are not just a vendor; you are part of the federal defense architecture.

Historically, contractors provided a security score based on a supplier’s performance risk system metric as a gate to entry. It required no third-party attestation. In response to catastrophic breaches and supply chain attacks, fiduciaries can no longer just say they have a great score. The feds are reverting to the basics of tactical defense: Trust, but Verify.

If your actual security posture is weak, but you attestation says otherwise to win a contract, that is now considered fraud against the United States.

The Financial Fallout: Whistleblowers & Personal Liability

Neglecting access controls or skipping critical patches because “the IT budget was too tight” activates immense legal and financial liability via the False Claims Act (FCA). Government contractors must understand this new landscape. The DOJ is prioritizing FCA investigations into cybersecurity misrepresentation, particularly those initiated by whistleblowers.

Executives and Managing Directors need to perform the “math” on this new threat vector:

Incentivized Insiders: In 2025 alone, there were nearly 1,300 whistleblower cases filed. Insiders who witness compliance fraud (reporting a high score on unpatched systems) are financially incentivized to report.
Treble Damages: Whistleblowers receive approximately 15% to 30% of the total federal settlement. Those settlements are calculated at three times (treble damages) the original contract value.
The Fiduciary Target: The focus on accountability means the “IT debt” excuse is dead. Executives and board members may be held personally liable for compliance failures. If you signed an attestation without personally verifying it via due diligence, You have legal liability.

Marching Orders: Aligning Profitability with Resilience

To navigate this epidemic of federal fraud targeters, GovCon fiduciaries must move beyond audit readiness and embrace operational integrity. They can begin by adopting best practices that protect themselves from legal repercussions while fulfilling their obligations to national security.

1. Engage an Independent Third-Party Auditor

You must get an unbiased, independent assessment of your security posture. You cannot secure what you cannot see. The first strategic step is to hire an external assessor and explicitly instruct them to “find every flaw.” Many firms fear negative audit findings and hire “check-box” assessors who balance validation with future repeat business considerations. Do not fail your mission through vanity audits. You right away tell them you want the honest truth about your vulnerabilities.

2. Segment Data via a Controlled Unclassified Information (CUI) Enclave

The primary friction point fiduciaries cite is the cost of implementing over 100 controls from NIST 800-171 across an entire enterprise network. It is too expensive and complex.

The tactical solution is simple: Build a CUI enclave. Segregate sensitive government data—CUI—from the rest of your non-cleared operations. This isolated environment incorporates robust security controls and prevents cross-contamination of data. This approach contains the high-compliance costs only to where they are required, making resilience affordable and manageable.

3. Utilize Government-Certified Cloud Services

Do not build your CUI infrastructure in a non-certified cloud. Using cloud services designed specifically for government contracts—such as designated “Gov Clouds”—ensures your data is stored securely and in full compliance with federal regulations. Using non-certified services puts your balance sheet and national security at unacceptable risk.

If you put revenue before national security, you could ultimately lose both. The perimeter is no longer your network; it is the legal and ethical liability tied to every contract you sign. Mission success is about operational integrity. Execute to the standard. Execute to resilience.

// DECODED TRANSCRIPT

Access the full text logs of this transmission for compliance and review purposes.

Actual (00:00)
Welcome to Status Secure. Today we’re asking a very uncomfortable question to anyone in the government contracting space. Are you putting revenue before national security? For years, the industry lived on the honor system. You wanted to win a DOD contract. You checked the boxes, promised you’d fix the security gaps later and chase the revenue. But when you lie on a compliance form to win a bid, you aren’t just cheating the system. You’re leaving

controlled unclassified information exposed to our adversaries. Today we’re discussing why the Department of Justice is finally treating poor cybersecurity as a federal crime. What are your thoughts on this, CISO?

The CISO (00:35)
Yeah, so I mean, there’s always been the supplier risk, right? And the government contractors have typically provided their security score as a gate, right? As one of the criteria to be able to And it didn’t require a…

you know, any kind of third party attestation, it was just pretty much, hey, tell us your security score based on a supplier’s performance risk system, right? That was to measure how well you protected, controlled, unclassified information for the government, right? It’s just a, it was a security metric, but again, you know, contractors looked at it as like, okay, I need a certain score in order to bid on this contract, right?

It was a gate. It was a revenue gate. It kept them from being able to make money. So what they did was they just put in there a really great score so they could bid on the contract. Which I think, where we are now, where there have been major breaches, major cyber incidents, the DOD and the DOJ,

you know, they just and the Department of Justice and the feds just in general can’t allow that anymore because they realize, you know, they’ve realized it for a while now that, you know, we’re not just fighting on land, sea and air. We’re also fighting on in cyberspace. So, you know, if you’re a government contractor, you’re part of the military, right? You’re part of

the federal defense for the nation. And so you can’t just say you have a great score. They can’t just trust that. It’s the basics of security, trust but verify. And the honest system was just trust. There was no verification. So now they’re saying, hey, this has really great impact. And so you know,

they can no longer just trust. if you are not, know, your security posture is not that great, but you say it is just so you can bid on the contract, that is considered fraud. And it’s a federal crime because it has really great impacts. I mean, think of all of the cyber breaches. Like the big one I can think of is that one where, you know, where like millions of

military personnel information, right, was, is just out there in, you know, in the dark web somewhere, right? You just can’t have that anymore.

Actual (03:09)
Yeah. So how does a technical failure like skipping a patch or ignoring access controls because the IT budget was too tight? How does that turn into a federal fraud investigation?

The CISO (03:20)
Well, you know, first you have to take a look at the what’s called the FCA, the False Claims Act. And so I think that was, I can’t remember the exact year, but it’s been around. Right. But now the DOJ, you know, they’re using it, right. They’re using the FCA, the False Claims Act, to say, hey, if you are false, basically, you know,

making a false claim that your security is better than it is, then they’re going to use that in order to investigate you, in order to take you to court, in order to get financial restitution, and to make sure that you and everyone else understands that that’s no longer tolerated. And they’re going to make you an example.

And I think one of the big things is whistleblowers, right? What they’ve seen in just 2025. So that was just last year. There were 1,297 whistleblower cases filed. That’s over 1,000. And then, basically, let’s say, for instance, they do your whistleblower.

And now they, you know, the federal government says, okay, this is a very valid case. They start investigating. Okay. And so they do their investigation. goes to court and there’s a settlement. Right. So a whistleblower will get about 15 to 30 % of that settlement. And the settlement is based on, the, you know, what, the way that they,

do this, you know, how much a company is has to pay besides the fact that you no longer can bid on government contracts, right? If you had a federal clearance, that is no longer they revoke that, right? So you lose all of that, you can’t bid on government contracts anymore. Then on top of it, they say the cost is three times the contract. So if your million dollar contract that you wanted this revenue so badly that you were willing to lie,

to get it, now it’s going to cost you three million and a whistleblower will get 15 to 30 % of that. I mean, that really makes a difference, especially if they feel like you’re not doing, I mean, you’re supposed to be protecting our national security and you’re not doing that. You’re putting our national security at risk. Of course, a whistleblower is going to be like, this is the right thing to do and I’m going to make money.

And I don’t have to do any of the work because the government will go go investigate. And this, I mean, this affects not only the prime, but the subcontractors. So primes, right? So if you’re primary on a government contract and you use subcontractors, you should be worried. You should be worried about your subcontractors because they could cost you a lot of money.

Actual (06:10)
Yeah. And I guess why does this happen? Is it malice? Are these government contractors just overwhelmed by the cost of compliance and just trying to keep the lights on? Like, I guess what would be a viable reason for neglecting these areas?

The CISO (06:26)
I think because historically, historically they’ve been able to get away. mean, it’s not malicious. It’s just historically they’ve been able to get away with just having, ⁓ you know, a poem, a plan of action and milestone, you know, ⁓ being able to say, Hey, we’re aware of this risk and we’re managing it because we, cause we’ve identified it and we have a plan to fix it. so because of that, they use that as a reason to.

say that they’re governing their security, so their score should be higher. And it’s just cost, because it can be too expensive to do all the controls. Because NIST 800171, I think there’s over 100 controls that they have to implement. And so as a business, they’re like, I’m trying to, especially if there’s just starting,

or early on, they’re like, need to make money. We can do these controls later.

Actual (07:23)
Yeah. So when the Department of Justice steps in because of the whistleblower report, like, and I know you mentioned some things that could happen, but what are some other negative consequences to revenue on, like the executive team that, you know, like they’re, trying hard to protect their, business. They’re trying hard to protect the revenue, their income source.

the work they’re doing, maintain their contracts so they can then do a good job and they can get the next contract, right? So there’s a lot going on here. But what are the other, maybe other financial consequences to sort of not putting a priority on this?

The CISO (07:57)
Well, they’re making, accountability is really big now, right? Because they say, hey, you’re the board, you’re the executive, right? Saying that, well, my security team said it was good, right? Is no longer an acceptable response, right? So personally, the board, individually.

They could be, you know, they’re going to have financial like I’ve seen now on court cases where they named individuals in the court case, not just the company. So if you think you’re creating a LLC or a corporation and you’re not going to be personally liable, you need to really get an attorney’s opinion because these days they name, you know, they’re naming individuals.

⁓ so if you signed off on it and you didn’t get any kind of verification except from your, from your security team or your it guy, you know, you’re not doing your due diligence. You know, it’s so easy to get a third party to do the review. I there’s so many companies that do that now. so, you know, that could, that could bankrupt you personally, and it can definitely take the business out.

Actual (09:09)
Yeah, so let’s talk about marching orders for these government contractor executives listening to this, things they can take away and maybe think about maybe something that’s actionable that they could implement. You know, it’s because we want to protect national security, but we also want to run a profitable business. So how do we align the two starting tomorrow?

The CISO (09:31)
I mean, I mentioned it earlier, which is, you know, get a third party and tell them you want the truth. Because you have to be careful because sometimes when you hire third party assessors or auditors, you know, they’re trying to make sure that they have repeat business. Right. So, you know, they’re trying to balance that and doing an actual audit. So you right away just tell them you want the honest truth. You’re not going to be upset if it comes back and they find a lot of problems. Right.

So that’s the first thing. That way you can get a real understanding of your security. Second, well, in parallel, you can go ahead and review where your controlled unclassed, your CUI data. You need to build what’s called a CUI enclave. It’s even in the CMMC requirement, right? Is that you have a CUI enclave, which means that that’s

that data for the government that you’re working on is segmented. It’s all the security controls in it. It’s isolated from the rest of your network. So you’re not co-mingling data, the government and the private. And just make sure that it’s segmented. And this way, it helps a lot because you don’t want to implement

everything on your entire, you know, network and for your entire company, that gets too expensive. But if you just put your government data in its own area, I mean, that’s why you have, that’s why when you look at, there’s so many, like if you do cloud, they have a government cloud, right? And so you use that, make sure you use that. Don’t be putting, don’t be building, if you’re gonna contract with the government, don’t be building your stuff in a non-government,

certified cloud, right? Those are the things you can do right away.

Actual (11:18)
Got it. Thanks for that. So the perimeter is no longer just your network. It is the legal and ethical liability tied to every contract you sign. If you put revenue before national security, you could ultimately lose both. So mission success is about operational integrity. So let’s execute to the standard and we’ll see you next week.

JOIN "THE WATCH" //

Receive critical SITREPs, Industry Alerts, and Threat Indicators sent directly to your inbox.

By submitting this form, you agree to our Terms & Conditions and Privacy Policy.

SILENCE THE NOISE. AMPLIFY THE SIGNAL.

INTELLIGENCE IS USELESS IF YOU AREN'T LISTENING.

Join The Watch to receive New Episode Alerts, Strategic Breakdowns, and Guest Intel delivered to your inbox.