LOGZONE Navy Cybersecurity Settlement Shows Why Contractor Self-Scores Need Receipts

BadPD source-check, June 19, 2026; source dates June 18, 2026 and settlement signatures June 15-17, 2026: the Justice Department says LOGZONE Inc. of Huntsville, Alabama agreed to pay $507,144 to resolve False Claims Act allegations tied to cybersecurity requirements in Department of the Navy contracts.

This is a cyber accountability story, not just a procurement line item. The public pays defense contractors to handle sensitive work. If the contract says covered defense information must be protected, the accountability record has to show more than a vendor’s own score.

What The Settlement Says

The DOJ release says LOGZONE was accused of knowingly submitting false or fraudulent claims for payment on two Navy contracts even though it had not complied with required cybersecurity controls. DOJ says the contracts involved the Naval Oceanographic Command Property Management Program at Stennis Space Center, Mississippi.

The settlement agreement adds the contract ledger. It says the Navy awarded LOGZONE one contract on March 30, 2021 for logistical and inventory services and another on November 1, 2022 for facilities support services. The agreement says LOGZONE had been paid $682,193.37 under those NAVOCEANO contracts up to and including a March 8, 2025 invoice.

The agreement says the contracts incorporated DFARS cybersecurity clauses, including 252.204-7012, 252.204-7019, and 252.204-7020. Those clauses are the bridge between the public contract and the security-control receipts: contractors handling covered defense information must protect the systems involved and maintain assessment-score records tied to NIST SP 800-171.

The Score Gap Is The Story

The sharpest fact is the score gap. The settlement agreement says LOGZONE submitted a perfect NIST SP 800-171 self-assessment score of 110 in the Supplier Performance Risk System on October 13, 2021. It then says the Defense Industrial Base Cybersecurity Assessment Center of the Defense Contract Management Agency completed a Medium Assessment on February 2, 2024 that gave LOGZONE a score of -170, near the bottom of the stated -203 to 110 range.

That is exactly why self-attestation cannot be the end of the audit trail. A perfect contractor score and a later deeply negative government assessment are not minor paperwork noise. They raise direct public questions: who relied on the original score, what work continued after the assessment, what data was processed on the affected systems, and what remediation was verified before later invoices were paid?

DOJ says LOGZONE allegedly failed from May 2021 to March 2025 to implement certain NIST SP 800-171 controls that, if missing, could lead to significant exploitation of systems or exfiltration of sensitive defense information. The settlement also says $253,572 of the $507,144 payment is restitution.

Confirmed, Alleged, Pending

Confirmed by the settlement documents: LOGZONE agreed to pay $507,144 plus interest from June 1, 2026 until payment; $253,572 is designated as restitution; the covered contracts involved Navy work at Stennis Space Center; LOGZONE submitted a 110 self-assessment score in October 2021; DCMA’s February 2024 Medium Assessment resulted in a -170 score; and the agreement was signed in June 2026.

Alleged, not adjudicated: DOJ and the settlement agreement say the resolved claims are allegations only and that there has been no determination of liability. The brief should not be read as a finding that LOGZONE committed a crime or admitted liability.

Pending records: payment confirmation, remediation proof, the DCMA assessment summary, Navy contract officer records, any stop-work or risk-mitigation decisions, whether covered defense information was actually exposed, whether any subcontractors were involved, and whether suspension, debarment, or other administrative remedies were considered or reserved.

Why This Belongs On The Public Ledger

Defense cyber enforcement is often written like insider procurement news. The public version is simpler: if a contractor says it has the controls, the government should be able to verify the controls before sensitive work keeps moving. When a perfect self-score later meets a -170 assessment, the public deserves a receipt trail showing who knew what, when invoices kept being paid, and what changed after the audit.

The BadPD follow-up is the contract-control file: final payment, verified remediation, assessment history, agency risk decisions, and any later procurement consequences. A settlement closes one civil lane. It does not close the security-control ledger.

Source Trail

• DOJ: Alabama Defense Contractor Agrees to Pay $507,144 (June 18, 2026) – Primary DOJ release for the LOGZONE False Claims Act settlement, Navy contract cybersecurity allegations, DCMA assessment reference, and no-determination-of-liability status.
• DOJ settlement agreement PDF: United States and LOGZONE Inc. (signed June 15-17, 2026) – Primary settlement agreement with contract numbers, payment amount, restitution amount, 110 self-assessment score, -170 DCMA Medium Assessment score, release/reservation terms, and allegation language.
• NIST SP 800-171 Rev. 3: Protecting CUI in Nonfederal Systems (May 2024 final publication) – Official NIST reference for the CUI security-control framework discussed by the settlement and Navy cybersecurity requirements.
• Acquisition.gov DFARS 252.204-7012 (current acquisition.gov clause page checked June 19, 2026) – Official DFARS clause page for safeguarding covered defense information and cyber incident reporting.
• Acquisition.gov DFARS 252.204-7019 (current acquisition.gov clause page checked June 19, 2026) – Official DFARS clause page for NIST SP 800-171 DoD assessment score requirements and SPRS score-posting context.