Federal Contractor Pays $14.7M To Settle Cyber Fraud Charges

A Maryland-based IT firm, Hill ASC Inc., has agreed to fork over at least $14.75 million in a settlement that brings the federal contractors under the scanner. This isn’t just about money but a reminder that cutting corners on IT services for Uncle Sam carries a hefty price, especially when national security is on the line.

The U.S. Department of Justice on Monday revealed that Hill Associates allegedly billed federal agencies for IT staff who simply didn’t meet the contractually required experience or education. For five years, from 2018 to 2023, the company operated under a General Services Administration (GSA) program, a pipeline meant to get top-tier commercial services to the government efficiently.

Investigators also claimed Hill Associates submitted invoices for specific cybersecurity services despite failing a critical technical evaluation. The GSA demands these rigorous assessments for contractors offering highly adaptive cybersecurity solutions to government clients. Not passing such an evaluation points to significant gaps in the company’s advertised capabilities.

The firm reportedly charged unauthorized fees and neglected to give government customers crucial information about prompt payment discounts. Additionally, Hill Associates included unallowable incentive compensation within a cost submission for a new contract proposal, further muddying its billing practices.

Cybersecurity experts believe there is an absolute necessity for strict oversight in government IT contracts. Agencies depend on contractors to uphold the highest standards, particularly when services directly impact federal operations and critical data integrity. Any slip from agreed-upon terms, whether unqualified personnel or misrepresented capabilities, erodes trust and opens doors for potential vulnerabilities.

“Federal agencies should get what they have paid for from GSA contractors, nothing less,” GSA’s Deputy Inspector General, Robert Erickson said. This sentiment resonates deeply within the cybersecurity community, where the quality of IT infrastructure and the expertise of its stewards directly influence national security and operational resilience.

Loren Sciurba, Treasury Deputy Inspector General, added that “false claims and similar unfair advantage by contractors undermine the integrity of the contracting process and can result in significant adverse effects to vital security concerns.” The implications stretch far beyond mere financial misconduct; subpar IT services can expose federal systems to advanced persistent threats (APTs) and sophisticated nation-state hackers.

Apart from the fine, Hill Associates also agreed to pay 2.5% of its annual gross revenue exceeding $18.8 million beginning next year.

The allegations were filed under the False Claims Act, a U.S. federal law that imposes liability on individuals and companies who defraud the government. In fiscal year 2024, the DOJ recovered over $2.9 billion from civil cases involving fraud and false claims.

Another defense contractor who settled with DOJ earlier this year was Morse Corp Inc., a Massachusetts-based company. The contractor agreed to pay $4.6 million to resolve allegations of cybersecurity fraud that involved the company misrepresenting its compliance with federal cybersecurity standards while working on contracts with the Departments of the Army and Air Force.

Also read: Defense Contractor Morse Corp Settles Cybersecurity Fraud Allegations for $4.6M

According to the settlement agreement, Morse Corp submitted a misleading score of 104 on its cybersecurity assessment to the Department of Defense’s Supplier Performance Risk System (SPRS) in January 2021. However, an independent evaluation in July 2022 revealed a significantly lower score of -142, indicating that the company had only implemented 22% of the required controls.

While Hill Associates and Morse Corp. agreed to pay the fine and settle without admitting liability, the case shines a bright light on a persistent challenge in public sector contracting. Ensuring vendors truly possess the stated qualifications and deliver services as promised is fundamental to robust cloud security and strong application security. This vigilance protects against future data breaches and maintains the integrity of critical government systems.

Related