CMMC and the False Claims Act: Why Not Getting Compliant Hurts
Learn how failure to meet CMMC 2.0 requirements can lead to False Claims Act liability for DoD contractors. Discover compliance risks and how to protect your business.
CMMC and the False Claims Act: Why Not Getting Compliant Hurts
There’s been a lot of focus on the costs and logistics of the Cybersecurity Maturity Model Certification (CMMC), but there’s another angle that doesn’t get enough attention—liability under the False Claims Act (FCA). If your cybersecurity compliance history doesn’t hold up under scrutiny, you could be facing more than just a failed assessment—you might be looking at legal trouble.
What’s the False Claims Act?
The False Claims Act is a federal law from 1963 that holds companies accountable for defrauding the U.S. government. That includes knowingly submitting false claims—or misrepresentations—related to government contracts. It’s one of the government’s main tools for cracking down on fraud involving public funds. And, in 1986, the FCA was revitalized in response to defense contractors’ continued fraud.
The CMMC Connection: From Self-Attestation to Verification
CMMC was created to improve cybersecurity across the Defense Industrial Base (DIB), especially when it comes to protecting sensitive info like FCI (Federal Contract Information) and CUI (Controlled Unclassified Information).
Before CMMC, contractors only had to self-attest that they were meeting requirements under rules like:
- FAR 52.204-21 for basic FCI protections
- DFARS 252.204-7012, which requires implementing NIST SP 800-171 for handling CUI
CMMC changes the game by introducing third-party assessments. It’s no longer enough to say you’re compliant—you must prove it.
Why This Matters for FCA Liability
The Department of Justice (DoJ) has made it clear: cybersecurity claims are now fair game under the False Claims Act. Under its Civil Cyber-Fraud Initiative, the DoJ is specifically targeting:
- Companies that knowingly deliver subpar cybersecurity solutions
- Contractors who misrepresent their cybersecurity posture
- Organizations that fail to report or monitor cyber incidents as required
In simple terms, if you claimed to be compliant in the past—but really weren’t—you could be at risk for heavy FCA penalties.
“You Should Have Already Been Doing This”
A big issue here is that the CMMC Levels 1 and 2 requirements aren’t new. FAR 52.204-21 has been in effect since 2016. DFARS 252.204-7012, which mandates NIST SP 800-171, has been required since the end of 2017.
The DoD even excluded the cost of implementing these requirements from its CMMC cost estimates because they were supposed to be done already. So, if you’re scrambling now to meet CMMC requirements, that might be a sign that you weren’t truly compliant before—raising red flags for FCA exposure.
Risky Ground: Affirmations and POA&Ms
Some contractors have expressed concern that the CMMC process itself could create FCA liability—especially around signing annual affirmations or managing Plan of Action and Milestones (POA&Ms). The worry is that declaring “continuous compliance” might backfire if a system hiccup causes temporary non-compliance.
The DoD clarified this: continuous compliance doesn’t mean perfection. It means your systems are compliant overall and you’re working to maintain that status. POA&Ms are allowed (for certain conditions at Level 2 and 3), but they must be closed within 180 days. Failing to follow through doesn’t automatically trigger FCA—but it could reflect poorly on your past attestations or current efforts, especially if the gaps are serious.
Recent FCA Claims
In 2024 alone, the DoJ reported that settlements and judgments exceeded $2.9 billion. Yes, billion, the highest it has ever been! In fact, whistleblowers filed over 900 lawsuits which represented a 35% increase from the previous year. Those whistleblowers received over $400 million in awards for their role in exposing fraud which is why creating a security-first culture is imperative now more than ever.
The Department of Justice is tightening its grip on cybersecurity enforcement—and the message is clear. In May 2025, Raytheon, RTX Corporation, and Nightwing Group LLC paid $8.4 million in response to the allegations that they failed to comply with CMMC. This landmark case signals a new era of accountability: the cost of non-compliance is no longer hypothetical—it’s real, it’s substantial, and it’s only going to escalate from here.
Consequences Beyond the FCA
Even if you never face FCA action, non-compliance with CMMC has real consequences. If you don’t meet the required level, you won’t be eligible for contract awards that include that level as a condition. And if your conditional certification expires due to unresolved POA&Ms, you could lose the ability to bid on or continue existing contracts until you get your status back.
Bottom Line: Be Proactive, Not Reactive
Here’s the uncomfortable truth: if you’re only now starting to meet the cybersecurity requirements that have been in place for years, you could be sitting on a compliance time bomb. CMMC assessments may expose long-standing gaps that were previously glossed over during self-attestation—and those gaps could be viewed as violations under the False Claims Act.
So, what’s the smart move? Get serious about compliance now. Use the CMMC framework—System Security Plans (SSPs), POA&Ms, assessments, affirmations—as a way to document your good-faith efforts and stay ahead of risk. Not only will that help you meet CMMC requirements, but it could also be your best defense against FCA liability down the line.
Whether you need help getting started or want someone to do all of the heavy lifting, Agile IT can help. Our team of security experts specializes in helping defense contractors understand the complexities of CMMC compliance and make strides in their cybersecurity strategy.
