The idea of voluntary disclosure has always been sold as a kind of bargain with the government. If companies come forward when they discover security lapses, report them quickly, and fix them responsibly, they will receive credit for candor and cooperation. The Cybersecurity Information Sharing Act of 2015 (CISA) was built on precisely this idea. Congress wanted to remove the fear that disclosing vulnerabilities would create new liabilities, so the statute promised that cyber threat indicators shared with the Department of Homeland Security would not waive privilege, could not be obtained through FOIA, and would not be used against the company in regulatory proceedings. The hope was that this protection would encourage robust information sharing, creating a collective defense against cyber threats.

The Department of Justice and the Department of Defense have their own versions of the same promise. DOJ’s Corporate Enforcement Policy, embedded in the Justice Manual, explicitly encourages companies to self-report wrongdoing, cooperate with investigations, and remediate violations. The policy states that such disclosures can lead to reduced penalties and, in some circumstances, even declinations of prosecution. The Department of Defense, through its Voluntary Disclosure Program, likewise invites contractors to report potential fraud or misconduct in connection with defense contracts, promising that honesty will be rewarded with leniency. The purpose of these policies is not to grant immunity but to create incentives — essentially telling companies that the consequences of hiding violations will be worse than the consequences of revealing them. The federal CISA statute (up for renewal this September) also encourages voluntary disclosures.

The recent settlement between defense contractor Aero Turbine, Inc. (“ATI”) and its private equity owner Gallant Capital Partners LLC (“Gallant”) shows the limits of this bargain. Between January 2018 and February 2020, ATI apparently failed to implement core cybersecurity controls required under NIST SP 800-171, controls that were expressly incorporated into its Air Force contract through DFARS 252.204-7012. Even more seriously, in mid-2019, ATI and Gallant shared files containing sensitive Controlled Unclassified Information (CUI) with a software company in Egypt whose employees were not authorized to access the data.

When ATI and Gallant discovered these problems, they did not cover them up. They hired outside investigators, submitted written disclosures to the government, cooperated with DOJ, identified those responsible, and promptly remediated their systems. The Department of Justice acknowledged this conduct, praised their cooperation, and applied its enforcement policy to reduce the penalties they faced. And yet, the companies still paid $1.75 million to resolve allegations under the False Claims Act that they had submitted claims to the government while falsely representing compliance with their contractual cybersecurity obligations. The essence of the False Claims Act was not that the company did not do the work they had contracted to do with DoD, but rather that, when they did so, they falsely certified that they were FEDRAMP compliant and secure.

The legal reasoning is straightforward. By billing the Air Force for work under a contract that required compliance with NIST SP 800-171, ATI implicitly represented that it was meeting those standards. In reality, it was not. Under the Supreme Court’s reasoning in Universal Health Services, Inc. v. United States ex rel. Escobar, 579 U.S. 176 (2016), a claim for payment that omits a material noncompliance with contractual terms can constitute a false claim. No amount of voluntary disclosure after the fact erases the fact that the government was billed under false pretenses.

That is why the disclosure policies, both under CISA and DOJ’s Corporate Enforcement Policy, function more as sentence reductions than as get-out-of-jail-free cards. They mitigate the damage, but they do not erase liability. The Aero Turbine settlement is proof of that. The government still recouped money, imposed restitution, and reinforced the principle that compliance is not optional. Of course, it might have been much worse if the company had not disclosed the noncompliance – the government might have sought to punish the company more severely, or even sought criminal penalties.

For contractors and cybersecurity professionals, the lesson is uncomfortable but clear. Disclosure is the right move — it reduces exposure and shows good faith — but it is not a shield against punishment. If you fail to implement the required controls, if you misrepresent compliance, or if you expose sensitive data to unauthorized parties, you remain liable no matter how forthright you are afterward. The voluntary disclosure regimes exist to encourage openness, but they do not rewrite contracts, nor do they amend the False Claims Act.

The paradox is that this dynamic may undermine the very incentive structure these programs were meant to create. If every disclosure carries a hefty price tag, some companies may decide that silence is safer, hoping the lapse is never discovered. That is the tension at the heart of CISA and the DOJ/DOD guidelines: they promise leniency but not immunity, credit but not absolution.

In the end, the Aero Turbine case reminds us that in cybersecurity contracting, the only real safe harbor is compliance itself. The disclosure provisions may soften the blow, but as the old saying goes — and as this case shows — no good deed goes unpunished.

Recent Articles By Author