CMMC and the False Claims Act: What the DOJ Cyber-Fraud Crackdown Means for Defense Contractors

The Civil Cyber-Fraud Initiative: What Changed

In 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative. Its premise is simple but consequential: when a contractor accepts federal money under a contract that requires specific cybersecurity, and then knowingly fails to deliver that cybersecurity (or lies about it), that can be fraud against the government— not merely a compliance shortfall.

The Initiative pursues three broad failures: knowingly providing deficient cybersecurity products or services, knowingly misrepresenting security practices or controls, and knowingly failing to report cyber incidents as required. For the defense industrial base, that maps directly onto NIST SP 800-171, your SPRS score, and the CMMC framework.

How the False Claims Act Turns a Gap Into Liability

The False Claims Act (FCA) is the government's primary anti-fraud statute. Two features make it especially serious in the cybersecurity context:

• Treble damages. Liability can reach three times the government's damages, plus a civil penalty for each false claim.
• “Knowingly” is a low bar. You don't need intent to defraud. Acting in reckless disregard or deliberate ignorance of the truth — for example, certifying compliance without actually verifying it — can be enough.

The theory most relevant to contractors is implied false certification: every invoice you submit implicitly certifies you're complying with the material terms of your contract. If your contract required NIST SP 800-171 implementation and you weren't implementing it, each payment request can become a potential false claim.

What Actually Triggers Liability

Cybersecurity obligations enter your contract through a familiar set of DFARS clauses. Misrepresenting compliance with any of them is where exposure begins:

• DFARS 252.204-7012 — requires safeguarding covered defense information per NIST SP 800-171 and reporting cyber incidents.
• DFARS 252.204-7019 / 7020 — require you to perform a NIST SP 800-171 assessment and post your SPRS score for the government to review before award.
• DFARS 252.204-7021 — the CMMC clause, embedding the certification requirement into contracts.

The most common fact patterns behind enforcement actions:

• Reporting an SPRS score that overstates actual implementation
• Certifying NIST SP 800-171 compliance that was never operationalized (policies on paper, controls never enabled)
• Failing to report a cyber incident as the contract required
• Storing or processing CUI on systems that were never brought into compliance

The Whistleblower Problem: Your Own Team

Most people picture enforcement as the government knocking on the door. In practice, a large share of FCA cybersecurity cases start inside the company. The FCA's qui tamprovisions let a private individual — very often a current or former IT employee, security lead, or contractor — file suit on the government's behalf and collect a share of the recovery (commonly 15–30%).

That changes the risk calculus. The person who knows your MFA isn't actually deployed, or that your “110/110” SPRS score doesn't match reality, has both the knowledge and a financial incentive to report it. “No one will check” is not a strategy.

The Pattern: This Is Not Theoretical

Recent years have produced a steady cadence of cybersecurity FCA settlements across the defense and federal contracting space — ranging from a 2022 aerospace settlement of roughly $9 million for misrepresenting compliance, to the June 2026 Alabama logistics contractor that paid $507,144over unmet NIST SP 800-171 controls on Navy work. The dollar figures vary; the lesson does not. The government is willing to enforce, whistleblowers are willing to report, and “we intended to get to it” is not a defense.

How to Protect Your Company

The good news: the same practices that reduce FCA exposure also make you certification-ready. Five fundamentals:

1. Know your real SPRS score

Assess all 110 NIST SP 800-171 requirements honestly, using the DoD Assessment Methodology, and report the number your evidence actually supports. An accurate 72 is far safer than an inflated 110.

2. Maintain a real SSP and POA&M

Your System Security Plan documents how each requirement is met; your Plan of Action & Milestones documents every gap and how you'll close it. Together they show good faith — the opposite of reckless disregard.

3. Keep evidence, not just assertions

A control is “met” when it's operational and you can prove it — screenshots, configurations, logs, policies in force. “Implemented” on paper with nothing behind it is exactly what investigators look for.

4. Never inflate to win an award

Posting a score you can't support to clear a 7019 threshold is the single highest-risk move a contractor can make. A POA&M and an honest score keep you eligible while protecting you legally.

5. Close gaps on a documented timeline

Demonstrable, dated progress against your POA&M is your best evidence of good faith — and it raises your score over time.

Start With an Honest Number

You cannot defend a score you've never actually measured. The fastest way to understand your real exposure is a true assessment against all 110 requirements — which is exactly what the Dragonfli Group CMMC Accelerator does: an estimated SPRS score using the DoD methodology, a draft SSP and POA&M, and a gap analysis, each reviewed by a CMMC Registered Practitioner. No inflated numbers, no invented evidence — just the real picture you can act on and defend.