CMMC and the False Claims Act: Why Not Getting Compliant Hurts
Learn how failure to meet CMMC 2.0 requirements can lead to False Claims Act liability for DoD contractors. Discover compliance risks and how to protect your business.
CMMC and the False Claims Act: Why Not Getting Compliant Hurts
Thereâs been a lot of focus on the costs and logistics of the Cybersecurity Maturity Model Certification (CMMC), but thereâs another angle that doesnât get enough attentionâliability under the False Claims Act (FCA). If your cybersecurity compliance history doesnât hold up under scrutiny, you could be facing more than just a failed assessmentâyou might be looking at legal trouble.
Whatâs the False Claims Act?
The False Claims Act is a federal law from 1963 that holds companies accountable for defrauding the U.S. government. That includes knowingly submitting false claimsâor misrepresentationsârelated to government contracts. Itâs one of the governmentâs main tools for cracking down on fraud involving public funds. And, in 1986, the FCA was revitalized in response to defense contractorsâ continued fraud.
The CMMC Connection: From Self-Attestation to Verification
CMMC was created to improve cybersecurity across the Defense Industrial Base (DIB), especially when it comes to protecting sensitive info like FCI (Federal Contract Information) and CUI (Controlled Unclassified Information).
Before CMMC, contractors only had to self-attest that they were meeting requirements under rules like:
- FAR 52.204-21 for basic FCI protections
- DFARS 252.204-7012, which requires implementing NIST SP 800-171 for handling CUI
CMMC changes the game by introducing third-party assessments. Itâs no longer enough to say youâre compliantâyou must prove it.
Why This Matters for FCA Liability
The Department of Justice (DoJ) has made it clear: cybersecurity claims are now fair game under the False Claims Act. Under its Civil Cyber-Fraud Initiative, the DoJ is specifically targeting:
- Companies that knowingly deliver subpar cybersecurity solutions
- Contractors who misrepresent their cybersecurity posture
- Organizations that fail to report or monitor cyber incidents as required
In simple terms, if you claimed to be compliant in the pastâbut really werenâtâyou could be at risk for heavy FCA penalties.
âYou Should Have Already Been Doing Thisâ
A big issue here is that the CMMC Levels 1 and 2 requirements arenât new. FAR 52.204-21 has been in effect since 2016. DFARS 252.204-7012, which mandates NIST SP 800-171, has been required since the end of 2017.
The DoD even excluded the cost of implementing these requirements from its CMMC cost estimates because they were supposed to be done already. So, if youâre scrambling now to meet CMMC requirements, that might be a sign that you werenât truly compliant beforeâraising red flags for FCA exposure.
Risky Ground: Affirmations and POA&Ms
Some contractors have expressed concern that the CMMC process itself could create FCA liabilityâespecially around signing annual affirmations or managing Plan of Action and Milestones (POA&Ms). The worry is that declaring âcontinuous complianceâ might backfire if a system hiccup causes temporary non-compliance.
The DoD clarified this: continuous compliance doesnât mean perfection. It means your systems are compliant overall and youâre working to maintain that status. POA&Ms are allowed (for certain conditions at Level 2 and 3), but they must be closed within 180 days. Failing to follow through doesnât automatically trigger FCAâbut it could reflect poorly on your past attestations or current efforts, especially if the gaps are serious.
Recent FCA Claims
In 2024 alone, the DoJ reported that settlements and judgments exceeded $2.9 billion. Yes, billion, the highest it has ever been! In fact, whistleblowers filed over 900 lawsuits which represented a 35% increase from the previous year. Those whistleblowers received over $400 million in awards for their role in exposing fraud which is why creating a security-first culture is imperative now more than ever.
The Department of Justice is tightening its grip on cybersecurity enforcementâand the message is clear. In May 2025, Raytheon, RTX Corporation, and Nightwing Group LLC paid $8.4 million in response to the allegations that they failed to comply with CMMC. This landmark case signals a new era of accountability: the cost of non-compliance is no longer hypotheticalâitâs real, itâs substantial, and itâs only going to escalate from here.
Consequences Beyond the FCA
Even if you never face FCA action, non-compliance with CMMC has real consequences. If you donât meet the required level, you wonât be eligible for contract awards that include that level as a condition. And if your conditional certification expires due to unresolved POA&Ms, you could lose the ability to bid on or continue existing contracts until you get your status back.
Bottom Line: Be Proactive, Not Reactive
Hereâs the uncomfortable truth: if youâre only now starting to meet the cybersecurity requirements that have been in place for years, you could be sitting on a compliance time bomb. CMMC assessments may expose long-standing gaps that were previously glossed over during self-attestationâand those gaps could be viewed as violations under the False Claims Act.
So, whatâs the smart move? Get serious about compliance now. Use the CMMC frameworkâSystem Security Plans (SSPs), POA&Ms, assessments, affirmationsâas a way to document your good-faith efforts and stay ahead of risk. Not only will that help you meet CMMC requirements, but it could also be your best defense against FCA liability down the line.
Whether you need help getting started or want someone to do all of the heavy lifting,âŻAgile ITâŻcan help. Our team of security experts specializes in helping defense contractors understand the complexities of CMMC compliance and make strides in their cybersecurity strategy.
