False Claims Act Cybersecurity Risks: Lessons from the Hillmer Indictment

The Department of Justice recently announced a stark warning to government contractors in the form of an indictment against Danielle Hillmer, a former senior manager for a Virginia-based contractor. Charged with major government fraud, wire fraud, and obstruction of federal audits, the case serves as a critical reminder that when it comes to False Claims Act cybersecurity enforcement, the cover-up is often far worse than the crime.

The Case Against Hillmer According to the DOJ press release, Hillmer allegedly orchestrated a scheme to deceive federal agencies—including the U.S. Army—about the security posture of a cloud-based platform. The indictment claims she falsely represented that the platform met FedRAMP High and DoD Impact Level 4 and 5 standards, despite knowing the system lacked essential access controls, logging, and monitoring capabilities.

Crucially, the charges allege that she didn't just fail to meet the standards; she actively concealed these failures from auditors, instructing others to hide the true state of the system during testing and demonstrations.

The Critical Importance of Accuracy For organizations navigating CMMC, FedRAMP, or RMF, the pressure to "pass" an assessment can be immense. However, the Hillmer case underscores that accuracy in speaking with auditors and regulators is non-negotiable.

Auditors are not just checking boxes; they are validating trust. When a contractor signs off on a System Security Plan (SSP) or attests to compliance, they are making a legal representation to the federal government. Misleading an auditor or falsifying the status of a control transforms a compliance gap into a criminal liability.

Embracing "Bad News" One of the most dangerous instincts in compliance is the desire to hide "bad news." In the federal ecosystem, bad news is allowed. If a control is not fully implemented, the correct path is to document it in a Plan of Action and Milestones (POA&M).

Agencies understand that cybersecurity is a journey. They can often work with a contractor who honestly reports a deficiency and provides a realistic remediation plan. What they cannot tolerate—and what the DOJ is aggressively prosecuting—is being told a system is secure when it is not.

The Shield of Due Diligence While the Hillmer indictment is alarming, it also highlights a silver lining for ethical contractors: intent matters.

Under the False Claims Act, liability typically hinges on "knowing" misconduct—which includes actual knowledge, deliberate ignorance, or reckless disregard for the truth. Generally, an investigation that shows a contractor exercised due diligence and made a good faith effort to address controls will protect them from severe civil and criminal penalties.

If you have a defensible approach to your controls, an updated SSP that accurately reflects your environment, and a record of honest self-assessment, you are building a robust legal defense. The government is looking for fraud, not perfection. A contractor who tries their best, documents their gaps, and reports honestly is vastly different in the eyes of the law than one who fabricates compliance.

Key Takeaways for Your Organization

• Validate your SSP: Ensure your System Security Plan matches reality, not just your aspirations.

• Don't fear the POA&M: Use your Plan of Action and Milestones to transparently track gaps. It is better to be non-compliant and honest than "compliant" and fraudulent.

• Train your team: Ensure that everyone interacting with auditors knows that honesty is the primary directive.

• Defensible Assessments: When you self-assess, ensure you have the evidence to back it up. If a control is "Met," be ready to show how.

  
  

At Kedge Security, we help our clients build compliance programs that stand up to scrutiny—not by hiding flaws, but by building a defensible, honest, and secure foundation.