United States: Aerojet settlement signals DOJ’s sustained focus on combatting cyber-fraud through the False Claims Act

In brief

On 8 July 2022, the Department of Justice (DOJ) announced a settlement of cybersecurity fraud charges against Aerojet Rocketdyne Inc. (Aerojet) following an action under the False Claims Act (FCA). Aerojet agreed to pay USD 9 million to the US government to settle allegations that it misrepresented its compliance with cybersecurity requirements when entering into federal government contracts with NASA and the Department of Defense. The case started when Aerojet’s former employee, Brian Markus, filed a qui tam action against the company under the FCA after it allegedly failed to protect sensitive information pursuant to government rules about cybersecurity. The case was settled on the second day of trial. This is the DOJ’s second settlement in the last nine months under its Civil Cyber-Fraud Initiative, thus signaling the government’s sustained focus on combatting cybersecurity fraud through the FCA.


Aerojet manufactures products for the aerospace and defense industry, and it contracts with federal government agencies including the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA). Both the DoD and NASA impose regulations on defense contractors to implement specific controls to protect sensitive government information from cybersecurity threats, namely, Defense Federal Acquisition Regulation 48 C.F.R. § 252.204-7012 (DFARS) and NASA Federal Acquisition Regulation 48 C.F.R. § 1852.204-76 (NASA FARS).1

From June 2014 to September 2015, the relator Brian Markus ("Relator") was employed by Aerojet as its senior director for Cyber Security, Compliance & Controls.2 Relator claimed that, as early as 2014, Aerojet was not compliant with the relevant regulations and that the government awarded Aerojet contracts based on its misrepresentations of compliance. In July 2015, Relator refused to sign documents that Aerojet was compliant with cybersecurity requirements, contacted the company’s ethics hotline, and filed an internal report. Aerojet terminated Relator’s employment on 14 September 2015.3

Procedural history

On 29 October 2015, Relator filed a qui tam action under the FCA,4 alleging that Aerojet misrepresented its compliance with cybersecurity regulations and fraudulently entered into government contracts with DoD and NASA, despite knowing that it did not meet the minimum standards to be awarded government contracts.5 In June 2018, the government declined to intervene in Relator’s action, after which the case was unsealed.

On 4 January 2019, Relator filed his Second Amended Complaint (SAC) which alleged claims for: (1) promissory fraud in violation of 31 U.S.C. § 3729(a)(1)(A); (2) false or fraudulent statement or record in violation of 31 U.S.C. § 3729(a)(1)(B); (3) conspiracy to submit false claims in violation of 31 U.S.C. § 3729(a)(1)(C); (4) retaliation in violation of 31 U.S.C. § 3730(h); (5) misrepresentation in violation of California Labor Code § 970; and (6) wrongful termination.

Aerojet responded to the SAC by filing a motion to dismiss the complaint and moving to compel the employment-related claims to arbitration. On 8 May 2019, Judge William B. Shubb of the District Court for the Eastern District of California dismissed Relator’s conspiracy claim and granted Aerojet’s request to compel the employment-related claims to arbitration. However, the Court denied Aerojet’s motion to dismiss the first two counts under the FCA. Particularly, the court found that Relator had sufficiently pled materiality under the FCA, noting that although Aerojet had disclosed certain areas of noncompliance to the government, it had allegedly failed to disclose the full extent of its noncompliance. 

The parties cross-moved for summary judgment or adjudication on the remaining FCA claims. The government also filed a statement of interest in which it opposed Aerojet’s arguments. On 1 February 2022, the Court granted Aerojet’s motion as to Relator’s false certification claim, but denied Aerojet’s motion as to the promissory fraud claim. The Court also denied motions for summary judgment from both parties on the issue of damages.


On 26 April 2022, jury trial commenced on Relator’s promissory fraud claim. A jury was selected, and the parties delivered their respective opening statements.

Under the FCA, persons who violate the Act may be liable for up to three times the actual damages "which the Government sustains because of the act" giving rise to liability.6 Heading into trial, Relator claimed that Aerojet owed damages of USD 19 billion, or three times the sum of each invoice paid under each contract that was obtained through the allegedly false statements or fraudulent conduct.7 In addition, had Aerojet been found to have violated the FCA, it would have been subject to debarment or suspension and civil penalties, which are also provided for under the FCA. Aerojet claimed that the government had suffered no actual damages since Aerojet had provided the goods and services the government had contracted to receive.


Aerojet agreed to pay USD 9 million to the US government to settle the cyber-fraud allegations.

The settlement agreement does not include any admission of fault or liability on the part of Aerojet.

Why it matters

Aerojet is the first cybersecurity compliance FCA case to move past a motion to dismiss, a motion for summary judgment, and then to trial and settlement. This demonstrates a judicial willingness to recognize cyber-fraud as a viable basis for a qui tam FCA lawsuit.

This is the second settlement announced in connection with the DOJ’s Civil Cyber-Fraud Initiative, which it launched in October 2021. The Civil Cyber-Fraud Initiative was created to increase cybersecurity compliance by using the FCA to pursue cybersecurity-related violations committed by government contractors, subcontractors, and grant recipients. The first such settlement was in March 2022 and involved Comprehensive Health Services (CHS), which was accused of failing to store government employees’ medical records on a secure electronic medical record system in violation of government contract requirements. The CHS allegations were also raised via a qui tam lawsuit, in which the government partially intervened.

Client takeaways

  • Trial risk is a significant motivation to settle. Facing uncertainty regarding damages, the parties decided to settle on just the second day of trial, despite over three years of litigation and investigation.
  • Under the Civil Cyber-Fraud Initiative, the federal government will continue to use the FCA to hold government contractors accountable if they make false, misleading or incomplete representations regarding cybersecurity compliance in their government contracts.  
  • Given the uptick in cybersecurity enforcement, government contractors must be diligent in their compliance with cybersecurity regulations and careful in their assurances to the government when entering into government contracts.
  • Appropriate disclosures to the government regarding non-compliance can be key to determining materiality under the FCA.  Disclosures to and any waivers from the government must be carefully crafted and documented. Here, the parties agreed that the government contractor had not fully complied with cybersecurity requirements and that it had in fact disclosed the non-compliance to the government.  Nonetheless, Relator and the government relied on their claim that these disclosures did not fully reveal the extent of the non-compliance at the motion to dismiss and summary judgment stages.
  • As with other areas of FCA enforcement, enforcement of cybersecurity-related fraud will rely significantly on qui tam actions. Accordingly, government contractors should have systems in place to properly respond to internal warnings.  This includes, inter alia, having sufficient resources to investigate allegations raised through internal reporting mechanisms. It also involves ensuring that the functions responsible for cybersecurity receive adequate resources to assess risk, mitigate cyber threats and ensure compliance with government requirements. 

1. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 US Dist. LEXIS 18505, at *3-4 (E.D. Cal. 1 February 2022).

2. Id. at 2.

3. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240, 1244 (E.D. Cal. 2019).

4. 31 U.S.C. §§ 3729 - 3733.

5.  The defendants were Aerojet Rocketdyne Holdings, Inc. and Aerojet Rocketdyne, Inc. a wholly-owned subsidiary thereof. For purposes of simplicity, the defendants will be collectively referred to as "Aerojet."

6. 31 U.S.C. § 3729(a).

7. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 US Dist. LEXIS 18505, at *21 (E.D. Cal. 1 February 2022).

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.