Click to view our statement on Accessibility

Popular Searches

Back
Foley Viewpoints

DOJ Charges Former Executive in Criminal Case Alleging Cybersecurity Compliance Fraud

December 16, 2025
A digital abstract landscape featuring blue and yellow glowing dots forming wave-like shapes against a dark background, reminiscent of the dynamic energy often seen in leading Chicago lawyers’ law offices.

A recent indictment underscores the U.S. Department of Justice (“DOJ”)’s focus on cybersecurity compliance in federal contracting and DOJ’s willingness to escalate enforcement beyond the civil False Claims Act (see Foley’s prior reporting here and here) to bring criminal charges against individuals. On December 10, 2025, DOJ announced that a federal grand jury in the District of Columbia has indicted Danielle Hillmer, a former senior manager at a Virginia‑based government contractor, on charges of major government fraud, wire fraud, and obstruction of a federal audit. DOJ alleges that Hillmer misrepresented that her company’s cloud‑based platform — used by multiple federal agencies — complied with mandated cybersecurity standards, and impeded oversight by concealing serious security flaws. The conduct appears to have occurred when Hillmer was employed at Accenture and managed its cloud services products.

The Hillmer Indictment

According to the indictment, Hillmer allegedly participated in a multi‑year scheme to defraud the United States by obstructing audit processes and misleading federal agencies about required cybersecurity controls and protections for Accenture’s cloud‑based platform used by at least six federal agencies, including the U.S. Army, Department of State, Department of Veterans Affairs, and other government customers. Specifically, DOJ claims that Hillmer:

  • Falsely represented that the platform met security controls at the FedRAMP High baseline and Department of Defense Impact Levels 4 and 5, despite repeated warnings that the system lacked required access controls, logging, monitoring, and other critical capabilities as well as the resources to achieve compliance.
  • Sought to influence and obstruct third‑party assessors during required audits in 2020 and 2021 by concealing serious deficiencies and instructing others to hide the true state of the system during testing and demonstrations.
  • Made false and misleading representations to the U.S. Army to induce it to sponsor the platform for a Department of Defense provisional authorization.
  • Submitted or caused others to submit materials that she knew contained materially false information, in order to obtain and maintain lucrative government contracts and system authorizations. These government contracts “required a level of security that the platform did not actually provide.”

Hillmer is charged with two counts of wire fraud (maximum penalty of 20 years each), one count of major government fraud (maximum penalty of 10 years), and two counts of obstruction of a federal audit (maximum penalty of 5 years for each count).

Enforcement Landscape

The Hillmer case offers a stark example of DOJ’s continued enforcement focus on cybersecurity requirements, though this case is also notable for its use of traditional fraud statutes with obstruction charges to pursue conduct involving noncompliance with required security controls in government contracting.

This matter also demonstrates that DOJ may bring charges even when there was not actual data breaches. DOJ’s theory is that material misrepresentations regarding required security controls, if relied upon by the government, are sufficient to support criminal charges carrying significant penalties even without a resulting data breach.

The investigation reflects a coordinated, multi‑agency effort involving Inspectors General and military investigative branches. Such collaboration broadens investigative capacity, expertise, and jurisdictional reach, resulting in greater scrutiny of contractors and raises the stakes for both corporate and individual accountability.

Recommendations for Government Contractors and Other Recipients of Federal Funds

The Hillmer matter illustrates the seriousness with which the DOJ views cybersecurity compliance failures in federal contracting. The following measures can strengthen your organization’s technical, compliance, and governance controls and help reduce the risk of liability for both the company and individual executives.  

  • Establish Top Down Commitment to Compliance. Cybersecurity compliance should be driven by senior leadership and treated as a critical organizational value. Executives should receive regular, structured updates on internal control performance, deficiencies, remediation progress, and remaining vulnerabilities. Governance protocols should ensure issues are escalated promptly rather than concealed, and that employees who raise concerns in good faith are protected from retaliation.
  • Monitor Contractual Cybersecurity Obligations. Develop and maintain an up‑to‑date inventory of all contractual cybersecurity standards and the systems they cover. Confirm that responsible personnel understand these requirements, continuously monitor performance, and implement corrective measures when deficiencies are found. Effective compliance programs typically require close collaboration between compliance/legal functions and information security/IT personnel.
  • Maintain Robust Internal Controls. Conduct rigorous internal reviews or obtain independent third‑party validation before submitting certifications, audit responses, or authorization materials to federal agencies to confirm these are accurate, complete, and supported by documentation.
  • Correct Inaccuracies Promptly. If statements, reports, or submissions to the government are later found to be incomplete or inaccurate, act immediately to correct the record. Consider proactive disclosure when appropriate. Taking prompt corrective action when inaccuracies are identified can mitigate potential civil or criminal liability and convey to regulators that the organization is acting in good faith to address compliance concerns.
  • Targeted Education and Awareness. Deliver role-specific training on applicable cybersecurity standards for government contracts and on appropriate, transparent engagement with federal agencies, auditors and assessors. The training should reinforce that intentional misrepresentations or obstruction during audits can result in severe personal and corporate consequences, including criminal liability.

Related Insights

View All Posts
December 16, 2025 Foley Viewpoints

The EU Digital Omnibus Regulation impact on the GDPR's Definition of Personal Data

On November 19, the European Commission introduced a draft regulation known as the Digital Omnibus Regulation (Omnibus Regulation), aimed…
December 16, 2025 Foley Viewpoints

Event Summary: The Next Era of Board Evaluations

The Next Era of Board Evaluations: From Compliance to Strategic Advantage
December 15, 2025 Foley Viewpoints

EPA’s New Strategy for Ozone and PM2.5 NAAQS Creates Temporary Window for Industrial Expansion and Development

The U.S. Environmental Protection Agency (EPA) has adopted a novel approach to “defending” the tighter limits on ozone and PM2.5 adopted…