1. Home
  2. |Insights
  3. |Logged Out: How LOGZONE's DIBCAC Challenges Put It Squarely in DOJ's Crosshairs

Logged Out: How LOGZONE's DIBCAC Challenges Put It Squarely in DOJ's Crosshairs

Client Alert | 4 min read | 07.02.26

On June 18, 2026, the U.S. Department of Justice (DOJ) announced that LOGZONE Inc., a defense contractor based in Huntsville, Alabama, agreed to pay $507,144 to resolve allegations that it violated the False Claims Act (FCA) by knowingly failing to satisfy cybersecurity requirements in its contracts with the U.S. Department of the Navy. The resolution is the latest action under DOJ’s Civil Cyber-Fraud Initiative and the first publicly reported settlement this fiscal year. It underscores a continued enforcement posture in which noncompliance with contractual cybersecurity obligations serves as the basis for potential FCA liability. Notably, this settlement did not arise from a whistleblower complaint but from a government-initiated assessment, signaling to contractors that proactive government assessments can pose enforcement consequences.

Background and Allegations

LOGZONE is a logistics services provider that was awarded two successive Navy contracts, in March 2021 and November 2022, to perform logistical, inventory, and facilities support services for the Naval Oceanographic Command Property Management Program (together, the NAVOCEANO Contracts). Through at least March 2025, LOGZONE received approximately $682,000 in payments under these contracts.

Both contracts incorporated Defense Federal Acquisition Regulation Supplement (DFARS) clauses: (i) 252.204-7012, which requires U.S. Department of Defense (DoD) contractors to provide adequate security on all covered contractor information systems by implementing the controls set forth in NIST Special Publication 800-171; and (ii) 252.204-7019 and 252.204-7020, which require contractors to post a current summary-level NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS) and cooperate with higher confidence assessments conducted at the discretion of the Defense Contract Management Agency (DCMA).

In October 2021, LOGZONE submitted a self-assessed SPRS score of 110 — a perfect score indicating complete implementation of all required security controls. However, when the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) of the DCMA completed an independent assessment of LOGZONE’s actual controls in February 2024, LOGZONE received a score of -170, placing it near the low end of the possible scoring range.

The government alleged that, from May 2021 through March 2025, LOGZONE failed to fully implement required NIST SP 800-171 security controls across the information systems it used to process, store, or transmit covered defense information — and that it submitted invoices to the Navy throughout that period with knowledge of its noncompliance. Under the terms of the agreement, LOGZONE is required to pay $507,144, of which $253,572 constitutes restitution.  

Government-Driven Investigation

Unlike recent Civil Cyber-Fraud Initiative settlements driven by whistleblowers (e.g., Georgia Tech Research Corporation; MORSECORP Inc.), the LOGZONE investigation was triggered by the government’s own assessment process. DOJ identified LOGZONE’s alleged compliance failures as a result of DCMA's DIBCAC assessment that produced the -170 score — demonstrating that existing audit mechanisms now serve as independent FCA investigative tools.

Restitution Exceeds One-Third of Total Contract Payments

While the $507,144 settlement is modest relative to several settlements in 2025, the NAVOCEANO Contracts generated only approximately $682,000 in total payments during the relevant period. The percentage of the restitution when compared to the contract payments LOGZONE received during the period of alleged noncompliance exceeds one-third of the payments and is significant, particularly because LOGZONE did not provide cybersecurity services or products to its federal customers. Contractors of all sizes should be aware that their FCA exposure in a cybersecurity enforcement action can be a large proportion of government payments received under relevant contracts while those failures persisted.

Key Takeaways

  1. DIBCAC assessments can carry direct enforcement consequences. The LOGZONE matter illustrates that DCMA’s DIBCAC assessments are not merely compliance checkpoints; they can serve as the evidentiary foundation for FCA investigations and civil enforcement actions.
  2. The gap between self-reported and third-party assessed SPRS scores remains a key area of FCA liability risk. The delta between LOGZONE’s self-assessed score of 110 and its DIBCAC-assessed score of -170 is among the largest in public enforcement actions involving cybersecurity noncompliance. Contractors should rigorously validate self-assessment methodologies and ensure that scores reflect actual implementation rather than planned or aspirational states.
  3. The settlement amount is significant when measured against actual contract payments. With restitution alone exceeding one-third of LOGZONE’s total contract receipts, this resolution illustrates that a monetary resolution can amount to a substantial portion of the revenue a contractor earned. Small and mid-sized contractors are not insulated from significant proportional exposure simply because their contract values are lower.
  4. NIST SP 800-171 compliance is critical for DoD contractors. Enforcement actions continue to arise from alleged foundational gaps and noncompliance with DFARS 252.204-7012, 252.204-7019, and 252.204-7020. With the recently finalized Cybersecurity Maturity Model Certification (CMMC) program adding third-party verification, contractors now face an increasingly varied compliance and enforcement environment.
  5. Multi-agency coordination signals sustained enforcement focus. DOJ coordinated with the Department of the Navy’s Office of the General Counsel, the Naval Criminal Investigative Service (NCIS), the Army Criminal Investigation Division (CID), and DCMA in resolving this matter, and the settlement was announced in connection with the administration’s Task Force to Eliminate Fraud and the National Fraud Enforcement Division, underscoring that cybersecurity FCA enforcement enjoys broad interagency support and is unlikely to recede in the near term.

Contacts

Insights

Client Alert | 4 min read | 07.02.26

A Busy Week for Aviation Regulatory Developments

The week of June 29 brought a flurry of regulatory activity from the Department of Transportation (DOT), the Federal Aviation Administration (FAA), and the Transportation Security Administration (TSA) impacting companies across sectors including airlines, supersonic aircraft manufacturers, drone operators, and owners/operators of critical infrastructure facilities.  A summary of the key developments is below....