On July 31, 2025, the U.S. Department of Justice (“DOJ”) announced a $1.75 million False Claims Act (“FCA”) settlement with Aero Turbine Inc. (“Aero Turbine”), a California-based defense contractor, and private equity firm Gallant Capital Partners LLC (“Gallant Capital”). The settlement arises out of allegations that Aero Turbine failed to comply with certain cybersecurity requirements under an Air Force contract and provided impermissible foreign third party access to sensitive defense information. This settlement highlights yet another example of the DOJ’s increased scrutiny of cybersecurity requirements (under the Cyber Fraud Task Force), specifically including the protection of Controlled Defense Information (“CDI”), under the FCA. The settlement is also an example of DOJ’s focus on (1) pursuing private equity investors and (2) rewarding entities that self-disclose and remediate wrongdoing.
Specifically, on January 25, 2017, the Air Force awarded Aero Turbine Contract No. FA8122-17-D-0001 (“MISTR Contract”), under which it would repair and maintain turbojet engines. The MISTR Contract incorporated Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, which requires DOD contractors and subcontractors to provide adequate security on contractor information systems that process, store, or transmit CDI consistent with the security requirements specified by National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171. Aero Turbine maintained an information system that contained CDI. The settlement alleges that, from January 2018 to February 2020, Aero Turbine failed to implement certain cybersecurity controls under NIST SP 800-171 that could lead to significant exploitation of the system or exfiltration of CDI. In addition, the settlement alleges that, in June and July 2019, Aero Turbine and Gallant failed to control the flow of, and limit unauthorized access to, CDI by providing a software company in Egypt with files containing such information. After engaging the Egyptian software company to improve its programs, a Gallant employee assisting Aero Turbine provided the software company’s Egyptian personnel with data that contained CUI relating to the MISTR Contract. The software company and its foreign citizen personnel were not authorized to receive sensitive defense information under the Air Force contract.
After learning of the issues, Aero Turbine and Gallant provided the government with multiple written self-disclosures, cooperated with the government’s investigation, and took prompt remedial action. Aero Turbine and Gallant received credit under the U.S. Department of Justice’s guidelines for disclosing, cooperating, and remediating these issues, ultimately leading to the $1.75 million FCA settlement.
This case signals DOJ’s continued heightened focus on FCA enforcement, with a particular focus on federal government contracting cybersecurity requirements, consistent with a number of recent other settlements and other FCA cases. It also demonstrates the value DOJ places on a putative defendant’s prompt self-disclosure and remediation in settling matters.
