DOJ Indicts Former Senior Manager of Federal Contractor over Alleged Misrepresentations Concerning FedRAMP/DoD Cybersecurity Compliance

On December 10, 2025, the U.S. Department of Justice (DOJ) announced that Danielle Hillmer, a former senior manager at a government contractor, was indicted for falsely claiming that her employer had implemented required security controls and obstructing an audit by concealing deficiencies in the system. Hillmer’s employer was a Virginia-based government contractor that provided cloud computing services to federal agencies, including the U.S. Department of the Army, the U.S. Department of Veterans Affairs, and the U.S. Department of State.

The Alleged Scheme

The indictment alleges that, between March 2020 and November 2021, Hillmer was responsible for oversight of security assessments, authorizations, and continuous monitoring of the security of a cloud-based platform for government customers. The platform was used, or planned to be used, by six agencies under contracts and subcontracts valued at about $250 million. Hillmer allegedly lied about the platform’s compliance with FedRAMP¹ “High” and U.S. Department of Defense (DoD) Impact Level 4 and 5 cybersecurity requirements.

The indictment alleges that, despite warnings from employees and external consultants that the platform lacked required access controls, logging, monitoring, and other capabilities, Hillmer made false and misleading statements about the system architecture and implementation of those security controls government officials to fraudulently obtain FedRAMP High approval. The indictment further alleges that Hillmer tried to influence and obstruct third-party assessors by concealing known security deficiencies, and that she instructed others to hide the true state of the system during testing and demonstrations.

The Charges

Hillmer is charged with wire fraud under 18 U.S.C. § 1343, major government fraud under 18 U.S.C. § 1031, and obstructing a federal audit under 18 U.S.C. § 1516. The two wire fraud counts are based on allegedly false statements in submissions of FedRAMP assessment and authorization materials to the government in 2020 and 2021. The major government fraud count alleges that, in 2020 and 2021, Hillmer obtained a FedRAMP High provisional authorization for the platform based on false information. The counts alleging that Hillmer obstructed a federal audit allege that she made false and misleading submissions during FedRAMP assessments in 2020 and 2021 and by concealed unimplemented or non-operational controls.

DOJ’s Civil Cyber-Fraud Initiative

The case should be understood against the backdrop of the DOJ’s heightened focus on cybersecurity representations in federal contracting, including through the Civil Cyber-Fraud Initiative, through which the DOJ has used the False Claims Act to pursue misrepresentations about compliance with cybersecurity requirements. The DOJ actively pursued Civil Cyber-Fraud enforcement throughout 2025, reaching settlements with eight companies and recovering almost $40 million from defense contractors, a private equity firm that owned a defense contractor, a research university, a benefit claims administrator, and a medical device provider.

Potential Corporate Exposure and Related Investigations

The Hillmer indictment charges only the individual former manager, not the government contractor. Neither the indictment nor the DOJ press release identifies the contractor, and the DOJ has not indicated whether there is an open investigation into the contractor. However, a large professional services firm which previously employed Hillmer has disclosed in prior securities filings that one of its subsidiaries made a “voluntary disclosure” to the U.S. government concerning the firm’s submissions to an assessor who was evaluating the implementation of required federal security controls for a particular offering. The disclosures stated that the firm had been responding to an administrative subpoena and was cooperating with a DOJ investigation. The disclosures noted that the matter could subject the firm to adverse consequences, including civil and criminal penalties and administrative sanctions. In addition, under general principles of U.S. criminal law, a company is liable when one of its employees acts within the scope of their employment and commits a crime to benefit the company.

Key Takeaways for Federal Contractors and Cloud Providers

This case has important implications for companies that provide cloud or other IT services to the federal government:

• Misrepresentations about a company’s compliance with cybersecurity requirements have potential implications under federal criminal law, not just contractual and regulatory frameworks. In addition to civil False Claims Act enforcement, the DOJ will bring criminal charges where it believes individuals have misled agencies, FedRAMP officials, or third-party assessors about their cybersecurity controls.
• FedRAMP High environments, especially those supporting defense, intelligence, or national security missions are receiving heightened attention from federal authorities in light of the recent Cybersecurity Maturity Model Certification (CMMC) rule change. Federal departments and agencies increasingly rely on FedRAMP authorizations as the government seeks to streamline the approval process and leverage it for unified adoption and proliferation of approved cloud service and application offerings. At least six agencies planned to rely on, or actually relied on, the Provisional Authority to Operate (P-ATO) in this case for mission-critical cloud services. This increases the stakes for accuracy and transparency in FedRAMP submissions, documentation, and processes.
• FedRAMP artifacts may be treated as material representations, and false statements can create criminal and civil liability for companies. Security packages, System Security Plans, Plan of Action and Milestones (POA&Ms), and responses to assessor requests for information and submissions are not mere technical documents, but certifications relied upon by departments and agencies for procurement decisions.
• Internal dissent and outside reports can be critical evidence. The indictment references warnings from internal personnel and an external firm that were allegedly disregarded. Those communications can become key exhibits in any later investigation.
• Parallel corporate investigations are increasingly common. Publicly reported securities filings show the DOJ opening civil/criminal investigations where a contractor self-discloses potential inaccuracy in security-related submissions. Prompt internal investigation, voluntary disclosure, and cooperation can significantly affect whether an organization faces criminal charges, civil exposure, or a potential declination.

What Federal Contractors Should Do Now

Federal contractors and cloud service providers should consider:

• Reviewing FedRAMP and DoD Risk Management Framework submissions (including system security plans, POA&Ms, and change requests) for accuracy and support in contemporaneous documentation. Effective compliance depends on documentation that is grounded in real artifacts demonstrating the implementation and performance of required controls; it is far easier to build documentation from existing evidence than to attempt to create or reconstruct that evidence after the fact. Clients should maintain a disciplined process for collecting, organizing, and validating artifacts as part of routine operations so that every representation made to the government can be substantiated when audited.
• Strengthening internal governance around security representations by implementing or reinforcing a formal cybersecurity attestation process, multilevel review of FedRAMP submissions, and clearly documenting internal evaluations or risk acceptance decisions.
• Reviewing all subcontractor agreements to ensure cybersecurity obligations are clearly defined, monitored, and enforceable. Consider implementing mandatory subcontractor attestations, periodic audits, and contractual remedies for noncompliance.
• Assessing third-party audit interactions, ensuring there is no pressure on assessors or employees to downplay deficiencies.
• Reevaluating internal reporting channels so that security personnel can raise concerns without fear of retaliation, and those concerns are documented and investigated.
• Refreshing training for program managers and technical leads on how to characterize security posture, remediation timelines, and residual risk in communications with the government and auditors.
• Coordinating with counsel if any prior submissions may be inaccurate, to determine whether an internal investigation and potential self-disclosure are warranted.

Finally, it is critical that companies that identify discrepancies in their cybersecurity or FedRAMP representations should promptly consult legal counsel to determine if a voluntary disclosure to the General Services Administration, DoD, or DOJ is appropriate. Evaluating such disclosures allows organizations to weigh the benefits of early cooperation, which include mitigating enforcement risks and demonstrating a commitment to good-faith compliance.

[1] FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government-wide initiative standardizing security assessments for cloud products, ensuring they meet strict security requirements (NIST-based controls) before federal agencies can use them.