The False Claims Act & CMMC: Getting It Wrong Could Cost Millions

Jul 31, 2025

If you're in the Defense Industrial Base (DIB) and still treating cybersecurity compliance as a back-burner issue, it's time for a wake-up call. The Cybersecurity Maturity Model Certification (CMMC) is no longer just a regulatory checkbox, it’s a business imperative, and the Department of Justice (DOJ) is making sure of that by weaponizing an old but powerful tool: the False Claims Act (FCA).

Here’s the bottom line: If you’re falsely claiming compliance with NIST SP 800-171 or inflating your SPRS scores, you could be committing fraud, and the penalties are steep.

Why the False Claims Act Matters Now More Than Ever

The False Claims Act was originally passed in 1863 to stop defense contractors from defrauding the U.S. government during the Civil War. Today, it’s being used to hold federal contractors accountable for cybersecurity fraud.

The DOJ’s Civil Cyber-Fraud Initiative, launched in 2021, made it clear: if you lie about your cybersecurity practices, knowingly or even recklessly, you’re opening yourself up to litigation under the FCA. That means triple damages, massive fines, and public exposure.

In fact, the DOJ is already using the FCA to prosecute false claims related to SPRS scores, self-assessments, and unimplemented security controls. The era of “self-certify and hope no one checks” is over.

Real Penalties. Real Companies. Real Consequences.

Let’s be clear: these are not hypothetical threats. Here’s a sample of recent FCA settlements tied to cybersecurity non-compliance:

MORSE Corp (2025): Paid $4.6 million for failing to meet NIST SP 800-171 requirements and submitting false SPRS scores. MORSE initially submitted a score of 104 (near the maximum of 110), but a third-party consultant later found their actual score was -142. The case was initiated by a whistleblower under the False Claims Act, who received $851,000 as part of the settlement.
Health Net Federal Services (2025): Settled for $11.25 million after falsely claiming cybersecurity compliance in its TRICARE contract. The government alleged that from 2015–2018, HNFS repeatedly failed to meet cybersecurity controls, ignored audit findings, and falsely certified compliance in annual reports to the Defense Health Agency. The investigation found failures in vulnerability scanning, patch management, and password policies while HNFS continued to claim it was secure.
Raytheon and RTX Corporation (2025): Paid $8.3 million in a whistleblower-driven case over alleged mishandling of sensitive information and misrepresentations. The whistleblower, a former Director of Engineering, received over $1.5 million for exposing that Raytheon falsely represented compliance while using a noncompliant internal system across 29 DoD contracts. While the public SPRS score they submitted is not listed, the case alleged significant gaps between what was claimed and what was actually implemented under NIST SP 800-171.
Pennsylvania State University (2024): Paid $1.25 million to resolve issues across 15 DoD and NASA contracts. Penn State was accused of submitting inflated SPRS scores that failed to reflect critical cybersecurity deficiencies and falsely claimed future compliance dates without follow-through. The case was brought by a whistleblower, a former CIO, who received $250,000 of the settlement under the False Claims Act.

This isn’t just about large primes. Small and mid-sized businesses are just as vulnerable, as demonstrated by the MORSE Corp case.

What Triggers a False Claims Act Violation?

Submitting inaccurate SPRS scores that overstate your compliance
Signing an executive attestation without verifying NIST SP 800-171 implementation
Misrepresenting compliance in contract proposals, meetings, or emails
Ignoring or delaying remediation efforts while continuing to certify readiness
Ignoring reports, audits, and findings
Intentional action to hide or cover up any activity that impacts compliance.

This list is by no means exhaustive but attempts to provide a framework for the types of activities that can fall under the scope of a False Claims Act violation. Even if you’re not outright lying, willful ignorance is not a defense. The executive who signs the SPRS score submission is legally accountable, and "I didn’t know" won’t hold up.

The “I Didn’t Budget for It” Excuse Won’t Fly

As Katie Arrington bluntly put it:

“If you didn't build it into your rate because you weren't doing it, shame on you.”

The requirements for cybersecurity, specifically NIST SP 800-171, have been on the books since 2017 under DFARS 252.204-7012. The only “new” cost introduced by CMMC is the third-party assessment. The security controls? You were already required to have them.

Five Things You Must Do Right Now

1. Reassess Your SPRS Score Honestly

Don’t let it sit untouched. Review your implementation status and revise your score if needed. A lower score is far safer than a false high one.

2. Document Everything

Maintain a detailed System Security Plan (SSP) and Plan of Action & Milestones (POA&M). If you ever face scrutiny, these documents will be your defense.

3. Get a Third-Party Check

An external gap assessment from a Registered Provider Organization (RPO) or Certified Third-Party Assessment Organization (C3PAO) can help you validate your position before it’s too late.

4. Train Your Team

Ensure executives, compliance leads, and IT personnel understand the legal stakes tied to cybersecurity misrepresentations.

5. Don’t Wait for a Knock on the Door

If you know you’re behind, start remediation today. FCA enforcement is active—and retroactive.

Compliance Is Now a Legal Obligation

For years, contractors got by with self-certifications and vague plans to “get compliant.” But now, the DOJ, DoD Inspector General, and even whistleblowers are watching. FCA enforcement is real, aggressive, and growing.

Failing to meet your cybersecurity obligations has become a legal issue. CMMC doesn’t introduce new rules; it forces you to prove you’ve been following the rules that already existed.

Clark Schaefer Consulting can help you get it right, before it costs you millions.

Our team understands the legal, technical, and operational challenges of CMMC and DFARS compliance. Whether you need help reassessing your SPRS score, building a defensible SSP and POA&M, or preparing for a third-party assessment, we’re here to guide you every step of the way.

Don’t wait for enforcement to come knocking. Contact us today to get started.

Written by: Serge Kikonda

Copyright Clark Schaefer Consulting. All content provided is for informational purposes only. Matters discussed are subject to change. For up-to-date information on this subject please contact a Clark Schaefer Consulting professional. Clark Schaefer Consulting will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.