Back

CMMC and the False Claims Act: Why Not Getting Compliant Hurts

Learn how failure to meet CMMC 2.0 requirements can lead to False Claims Act liability for DoD contractors. Discover compliance risks and how to protect your business.

5 min read
Published on Jun 10, 2025
CMMC and the False Claims Act: Understanding Compliance Risk

CMMC and the False Claims Act: Why Not Getting Compliant Hurts

There’s been a lot of focus on the costs and logistics of the Cybersecurity Maturity Model Certification (CMMC), but there’s another angle that doesn’t get enough attention—liability under the False Claims Act (FCA). If your cybersecurity compliance history doesn’t hold up under scrutiny, you could be facing more than just a failed assessment—you might be looking at legal trouble.

What’s the False Claims Act?

The False Claims Act is a federal law from 1963 that holds companies accountable for defrauding the U.S. government. That includes knowingly submitting false claims—or misrepresentations—related to government contracts. It’s one of the government’s main tools for cracking down on fraud involving public funds. And, in 1986, the FCA was revitalized in response to defense contractors’ continued fraud.

Office Cloud Policy Service and Security Policy Advisor

The CMMC Connection: From Self-Attestation to Verification

CMMC was created to improve cybersecurity across the Defense Industrial Base (DIB), especially when it comes to protecting sensitive info like FCI (Federal Contract Information) and CUI (Controlled Unclassified Information).

Before CMMC, contractors only had to self-attest that they were meeting requirements under rules like:

  • FAR 52.204-21 for basic FCI protections
  • DFARS 252.204-7012, which requires implementing NIST SP 800-171 for handling CUI

CMMC changes the game by introducing third-party assessments. It’s no longer enough to say you’re compliant—you must prove it.

Why This Matters for FCA Liability

The Department of Justice (DoJ) has made it clear: cybersecurity claims are now fair game under the False Claims Act. Under its Civil Cyber-Fraud Initiative, the DoJ is specifically targeting:

  • Companies that knowingly deliver subpar cybersecurity solutions
  • Contractors who misrepresent their cybersecurity posture
  • Organizations that fail to report or monitor cyber incidents as required

In simple terms, if you claimed to be compliant in the past—but really weren’t—you could be at risk for heavy FCA penalties.

“You Should Have Already Been Doing This”

A big issue here is that the CMMC Levels 1 and 2 requirements aren’t new. FAR 52.204-21 has been in effect since 2016. DFARS 252.204-7012, which mandates NIST SP 800-171, has been required since the end of 2017.

The DoD even excluded the cost of implementing these requirements from its CMMC cost estimates because they were supposed to be done already. So, if you’re scrambling now to meet CMMC requirements, that might be a sign that you weren’t truly compliant before—raising red flags for FCA exposure.

Risky Ground: Affirmations and POA&Ms

Some contractors have expressed concern that the CMMC process itself could create FCA liability—especially around signing annual affirmations or managing Plan of Action and Milestones (POA&Ms). The worry is that declaring “continuous compliance” might backfire if a system hiccup causes temporary non-compliance.

The DoD clarified this: continuous compliance doesn’t mean perfection. It means your systems are compliant overall and you’re working to maintain that status. POA&Ms are allowed (for certain conditions at Level 2 and 3), but they must be closed within 180 days. Failing to follow through doesn’t automatically trigger FCA—but it could reflect poorly on your past attestations or current efforts, especially if the gaps are serious.

Recent FCA Claims

In 2024 alone, the DoJ reported that settlements and judgments exceeded $2.9 billion. Yes, billion, the highest it has ever been! In fact, whistleblowers filed over 900 lawsuits which represented a 35% increase from the previous year. Those whistleblowers received over $400 million in awards for their role in exposing fraud which is why creating a security-first culture is imperative now more than ever.

The Department of Justice is tightening its grip on cybersecurity enforcement—and the message is clear. In May 2025, Raytheon, RTX Corporation, and Nightwing Group LLC paid $8.4 million in response to the allegations that they failed to comply with CMMC. This landmark case signals a new era of accountability: the cost of non-compliance is no longer hypothetical—it’s real, it’s substantial, and it’s only going to escalate from here.

Consequences Beyond the FCA

Even if you never face FCA action, non-compliance with CMMC has real consequences. If you don’t meet the required level, you won’t be eligible for contract awards that include that level as a condition. And if your conditional certification expires due to unresolved POA&Ms, you could lose the ability to bid on or continue existing contracts until you get your status back.

Bottom Line: Be Proactive, Not Reactive

Here’s the uncomfortable truth: if you’re only now starting to meet the cybersecurity requirements that have been in place for years, you could be sitting on a compliance time bomb. CMMC assessments may expose long-standing gaps that were previously glossed over during self-attestation—and those gaps could be viewed as violations under the False Claims Act.

So, what’s the smart move? Get serious about compliance now. Use the CMMC framework—System Security Plans (SSPs), POA&Ms, assessments, affirmations—as a way to document your good-faith efforts and stay ahead of risk. Not only will that help you meet CMMC requirements, but it could also be your best defense against FCA liability down the line.

Whether you need help getting started or want someone to do all of the heavy lifting, Agile IT can help. Our team of security experts specializes in helping defense contractors understand the complexities of CMMC compliance and make strides in their cybersecurity strategy.

Related Posts

Fast-Track CMMC Certification for Urgent Contracts

How to Fast-Track CMMC Certification for Urgent Contracts with AgileThrive JumpStart

Need urgent CMMC certification? AgileThrive JumpStart accelerates compliance for DoD contractors with fast-track assessments, gap analysis, and rapid audit readiness.

Jul 21, 2025
5 min read
Defending Against Email Compromise

Defending Against Email Compromise: Safeguarding Accounting & Procurement

Discover how to defend accounting and procurement teams from email compromise in the Defense Industrial Base. Learn CMMC-aligned best practices using Microsoft 365.

Jul 15, 2025
4 min read
Technical vs. Process Controls in CMMC Compliance

Understanding Technical vs. Process Controls for CMMC Compliance

Understand the difference between technical and process controls in CMMC compliance. Learn how both work together to protect FCI and CUI data effectively.

Jul 14, 2025
4 min read
20 Essential Questions to Ask a Managed Service Provider

Top Questions to Ask Your Managed Service Provider (MSP)

Looking for a new MSP? Stay ahead with the top questions to ask—from security and scalability to pricing and offboarding. Vet your provider with confidence.

Jul 12, 2025
5 min read
Overview of CMMC 2.0 and Its Levels: DoD Compliance Guide

CMMC 2.0 Explained: Levels, Compliance Requirements, and Key Changes

CMMC 2.0 simplifies cybersecurity requirements for DoD contractors. Explore an overview of its levels, key changes from CMMC 1.0, and what each level means for compliance.

Jul 11, 2025
6 min read
Microsoft Licensing and CMMC - How Does It Work?

CMMC + Microsoft 365 = đŸ˜”â€đŸ’«? Maggie has thoughts for you

Not sure which Microsoft 365 licenses you need for CMMC? Agile IT's Chief Operating Officer, Maggie McGrath, has some thoughts for you.

Jul 7, 2025
9 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation