DOJ brings individual criminal charges for FedRAMP fraud: What government contractors need to know

Background on the Hillmer indictment

On December 10, 2025, DOJ announced the criminal indictment of Danielle Hillmer, a former senior manager at a Virginia-based federal contractor (widely reported as Accenture Federal Services). Hillmer allegedly orchestrated a scheme between March 2020 and November 2021 to misrepresent the security posture of a cloud platform used by the U.S. Army and other federal agencies. The indictment alleges that Hillmer concealed known security deficiencies, misled third-party assessors during required audits, and submitted materially false documentation to obtain and maintain government contracts valued at more than $250 million.

Key allegations and compliance failures

The indictment alleges criminal violations through the submission of materially false information to obtain and maintain government contracts. DOJ claims Hillmer knowingly submitted, or caused others to submit, authorization materials containing false cybersecurity-related representations to assessors, authorizing officials, and government customers. These materials allegedly enabled the contractor to secure contracts for cybersecurity levels that the platform did not actually provide.

DOJ alleges that Hillmer falsely represented that the contractor's cloud platform met the FedRAMP High baseline requirements and the Department of Defense's (DODs) Risk Management Framework at Impact Levels 4 and 5, despite the system allegedly lacking required security capabilities such as required access controls (including multi-factor authentication), logging, and monitoring.

The indictment claims that Hillmer's alleged misrepresentations induced the U.S. Army to sponsor the platform for a DOD provisional authorization, ultimately securing a FedRAMP High provisional authority-to-operate (ATO) in July 2021. The indictment also alleges that Hillmer sought to influence third-party assessments by concealing deficiencies and instructing others to withhold or hide the true state of the system during testing and demonstrations.

What this shows about DOJ's enforcement strategy

The Hillmer case reflects DOJ's continued commitment to cybersecurity enforcement, which shows no signs of slowing despite broader shifts in federal priorities, and indicates a sustained possibility of individual liability for cybersecurity compliance.

The Civil Cyber-Fraud Initiative remains a priority

Launched in October 2021, DOJ's Civil Cyber-Fraud Initiative has matured into a robust enforcement program. In May 2025, DOJ's Criminal Division released a memorandum explicitly stating that the department will "prioritize investigating and prosecuting" cases involving "federal program and procurement fraud" among other areas of focus. This commitment has translated into significant results, focused almost exclusively through civil enforcement under the False Claims Act (FCA). According to DOJ's January 2026 press release discussing its 2025 FCA settlements, 2025 showed record-breaking FCA enforcement recoveries of $6.8 billion and has signalled cybersecurity obligations as a continuing priority for 2026.

Several cybersecurity-related settlements announced in 2025 demonstrate the breadth of DOJ's enforcement reach. These cases consistently focused on failures to implement required National Institute of Standards & Technology (NIST) Special Publication (SP) 800-171 and NIST SP 800-53 controls, FedRAMP compliance gaps, and inaccurate reporting of security postures in the Supplier Performance Risk System (SPRS). Notably, cybersecurity enforcement has remained an active focus of the current administration, even as other regulatory areas have been deprioritized. 

Potential criminal escalation

While DOJ's Civil Cyber-Fraud Initiative has primarily focused on corporate FCA settlements that recover monetary damages and impose compliance obligations, the Hillmer indictment demonstrates DOJ's increased emphasis on criminal enforcement of cybersecurity issues, as well as executive accountability, if violations are deemed to be severe enough. The indictment alleges a combination of knowing misrepresentation, active concealment, obstruction of oversight processes, and asserts that Hillmer allegedly ignored explicit warnings regarding noncompliant conduct.

Implications for CISOs, contractors, and organizations

Even as the case surrounding the Hillmer indictment evolves, corporate executives, Chief Information Security Officers (CISOs), and government contractors can heed important lessons for their organizations and their leadership.

Personal liability is real

DOJ and other regulators appear to be increasingly comfortable imposing personal liability, including for cybersecurity noncompliance. Information security and other senior corporate leaders should take care to document their compliance assessments, escalate concerns appropriately, and refuse to certify compliance when gaps exist. Exposure to personal liability is especially heightened in situations where there is evidence of known false misstatements or intentional concealment of known vulnerabilities.

Implications for whistleblowers

The shift toward individual criminal liability may also increase whistleblower activity. Employees who previously might have remained silent about compliance failures may now feel compelled to report issues to avoid potential personal criminal exposure. The qui tam provisions of the FCA already incentivize whistleblowers with substantial financial rewards, but the possibility of criminal prosecution may add another powerful motivation for individuals to come forward early.

Documentation and audit integrity

The Hillmer indictment's obstruction charges underscore the critical importance of maintaining audit integrity. Organizations may wish to revisit the controls in place to allow for audit transparency, efficiency, and integrity.

Cross-functional coordination

Effective cybersecurity compliance requires close coordination between CISOs, legal teams, and compliance functions, with additional involvement at the executive level. When information security teams identify gaps, they should engage legal and compliance professionals to assess disclosure obligations and remediation timelines. Similarly, when contracts require specific information security certifications, it is important to involve the legal, information security, and other teams early to align on requirements implementation and certification preparation.

Conclusion

The recent Hillmer indictment signals that DOJ's cybersecurity enforcement efforts have entered a new phase. While civil FCA actions will undoubtedly continue, government contractors and their leadership must now recognize that individual criminal prosecution is a real possibility when compliance failures involve knowing misrepresentations and obstruction of oversight.

For CISOs and information security leaders, the indictment serves as a reminder that honest, well-documented compliance assessments are essential protections against personal criminal liability. Organizations must equip security teams with the resources, authority, and support needed to achieve genuine compliance and to refuse certification when gaps exist.

Government contractors navigating these complex compliance obligations should consult with experienced legal counsel to assess their cybersecurity programs, disclosure practices, and audit processes.

Hogan Lovells team has deep experience with FCA investigations and litigation, and we stand ready to help organizations navigate these challenges. For more on DOJ's cybersecurity enforcement trends in the FCA space, see our recent coverage.

Authored by Paul Otto, Stacy Hadeka, Dan Ongaro, Garima Malhotra, Emma Kotfica, and Dorea Marshall.