Cybersecurity Service Authorization and Personnel Qualification Credential Authority Failure Through Billing for Services and Labor Not Meeting Contractual Requirements at Hill Associates Under GSA Multiple Award Schedule

The GSA Multiple Award Schedule program gives federal agencies a streamlined path to procure commercial IT goods and services. GSA negotiates contract terms with approved vendors; agencies then buy directly under those terms without redundant procurement processes. The MAS contract defines what a vendor is authorized to offer and at what rates. For specialized service categories — including Highly Adaptive Cybersecurity Services — GSA requires contractors to pass a technical evaluation before those services can be offered under the contract. The evaluation is the service authorization credential. Passing it establishes that the contractor has demonstrated the capability the service category requires. Without it, the contractor is not authorized to bill for those services regardless of whether the work was performed.

Separately, MAS contracts specify labor category requirements — the experience, education, and qualifications an individual must hold to be billed at a given rate. The personnel qualification credential is the documentation submitted to establish that a specific individual meets those requirements. It authorizes the labor category rate. Both the service authorization credential and the personnel qualification credential operate as billing authorization instruments. Both require that the conditions they represent are present before billing is permitted. Both were missing at Hill Associates — simultaneously, across the same contract period.

DOJ announced in July 2025 that Hill Associates agreed to pay at least $14.75 million to resolve False Claims Act allegations covering the period from 2018 to 2023. The settlement resolved two distinct sets of allegations. First, that Hill submitted claims for Highly Adaptive Cybersecurity Services to federal agencies despite never having passed the GSA oral technical evaluation required to offer that service category — the service authorization credential did not exist, and Hill billed as if it did. Second, that Hill billed at qualified labor category rates for IT personnel who did not hold the experience or educational credentials required under the contract — the personnel qualification credential asserted qualifications the underlying record did not support.

The settlement amount was based on Hill's ability to pay, with contingent additional amounts tied to financial performance. Hill did not admit liability. The resolution involved coordinated effort across DOJ's Civil Division, GSA's Office of Inspector General, the Treasury Department's Office of Inspector General, and the Treasury Inspector General for Tax Administration.

The service authorization credential and the personnel qualification credential each authorize a specific category of billing. The service authorization credential — the passed GSA technical evaluation — establishes that a contractor has demonstrated the capability required to offer a defined service category. Its absence means the contractor is not authorized to bill for that category regardless of what was delivered. The personnel qualification credential — the labor category justification and supporting documentation — establishes that an individual meets the contractual requirements that justify a specific rate. Its absence means the rate is not authorized regardless of what work was performed.

In both cases, the government's reliance on the credential at the point of invoice processing was not accompanied by independent verification that the credential's underlying condition was present. GSA accepted billing for cybersecurity services without verifying that Hill had passed the required technical evaluation. Agencies accepted billing at qualified labor rates without verifying that the individuals performing the work met the contractual qualification requirements. Both credentials asserted conditions. Neither condition was verified at the point of reliance. The billing was processed. The payment followed.

The simultaneous operation of two credential failures on the same contract is analytically significant. It is not a case of one credential type failing under unusual pressure. Both the service authorization instrument and the personnel qualification instrument failed through the same structural mechanism: acceptance of the credential as sufficient authorization without verification that the condition the credential represents is present. The failure condition is not specific to cybersecurity contracting or to IT labor categories. It is present wherever credentials authorize billing without a correspondence requirement at the point of reliance.

The $14.75 million settlement resolved allegations spanning five years of contract performance. The settlement amount reflects Hill's financial capacity rather than the full scope of the alleged conduct; contingent additional payments may increase the total recovery. DOJ's Civil Cyber-Fraud Initiative, which has produced settlements across defense, healthcare, and IT contracting, identified the service authorization credential failure as a distinct enforcement theory — the contractor billed for a service category it was structurally not authorized to offer, independent of any question about the quality of the work delivered. GSA's MAS program processes billions of dollars in annual IT procurement across thousands of contractors. The Hill Associates case establishes that the service authorization credential — the passed technical evaluation required before certain service categories may be offered — is a billing authorization instrument whose absence constitutes a false claim.

• Hill Associates settled False Claims Act allegations for $14.75 million in July 2025, resolving claims that it billed federal agencies for Highly Adaptive Cybersecurity Services without having passed the GSA technical evaluation required to offer that service category, and for IT personnel at qualified labor rates without the required experience or education — both credential failures operated simultaneously across the same contract period
• The service authorization credential is a distinct instrument from the personnel qualification credential: it establishes a contractor's authorization to offer an entire category of service, not merely to bill a specific individual at a specific rate — its absence means the service category was never authorized regardless of what was delivered or how it was performed
• Both credential failures share the same structural mechanism: the government accepted the billing submission as sufficient authorization without independent verification that the credential's underlying condition — the passed evaluation, the verified qualifications — was present at the point of reliance
• The GSA MAS program's streamlined procurement structure, designed to reduce redundant evaluation across agencies, creates a single point at which the service authorization credential is established — if that point fails to verify the underlying condition, every subsequent agency that relies on the MAS contract inherits the unverified credential
• The settlement was structured on ability to pay, with contingent additional amounts — the gap between the guaranteed minimum and the potential total reflects the scale of the alleged conduct across five years and multiple agency customers relative to Hill's financial capacity
• DOJ's Civil Cyber-Fraud Initiative has now established the service authorization credential as a distinct FCA theory: billing for a service category a contractor was structurally not authorized to offer constitutes a false claim independent of the quality or nature of the work actually performed